HIPAA Privacy Facts for Medical Offices

HIPAA Privacy Facts for Medical Offices

There has been some confusion about when and how to share patient information. I thought it might be a good time to review some of the facts from the HIPAA Privacy and Security Rules.

Here are some highlights:

  1. The Privacy Rule does not require a signed consent form before sharing information for treatment.
  2. Medical providers can share information for treatment purposes without a signed patient authorization.
  3. The Privacy Rule permits communication with patients, providers, and others by e-mail, telephone, or facsimile, with the implementation of safeguards to protect patient privacy. During your risk analysis you will have discovered how data flows in and out of your network so you can apply reasonable and appropriate safeguards.
  4. Medical providers may use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule.
  5. HIPAA requires reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures, including when providing telehealth services.
  6. Medical providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services.
  7. The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard telephone line. Keep in mind traditional landlines are being replaced with Voice over Internet Protocol (VoIP) and mobile technologies that use the Internet, cellular, and Wi-Fi. Medical providers using telephone systems that transmit ePHI need to apply the HIPAA Security Rule safeguards to those technologies.
  8. Medical providers must enter into a business associate agreement (BAA) with a telecommunication service provider (TSP) only when the vendor is acting as a business associate.
  9. If using a telephone to communicate with patients, a BAA is not required with a TSP that has only transient access to the PHI it transmits, because the vendor is acting merely as a conduit for the PHI.
  10. The Privacy Rule does not cut off all communications between medical providers and the families and friends of patients. If the patient does not object, you may:
    • share needed information with family, friends, or anyone else a patient identifies as involved in his/her care.
    • disclose information when needed to notify a family member or anyone responsible for the patient’s care about the patient’s location or general condition.
    • share the appropriate information for these purposes even when the patient is incapacitated if doing so is in the best interest of the patient.
  11. Medical providers may report child abuse or neglect to appropriate government authorities. 
  12. Patient right of access is another area that has been confusing for medical practices. When possible, you should obtain the request for medical records in writing. However, you may not require a patient to come to the office to complete the authorization if it would cause a hardship, or if they do not have access to email or a fax machine. You must still verify that the person requesting the information has the right to do so. You may do this by asking verification questions and/or calling them back at the number you have on file.

If there are other areas that you have questions about please do not hesitate to contact us!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:


Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

HIPAA changes and updates for 2022-2023

August 5, 2022

HIPAA and Emergencies – How to Respond

October 3, 2022
©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC