HIPAA Privacy Facts for Medical Offices

There has been some confusion about when and how to share patient information. I thought it might be a good time to review some of the facts from the HIPAA Privacy and Security Rules.

Here are some highlights:

  1. The Privacy Rule does not require a signed consent form before sharing information for treatment.
  2. Medical providers can share information for treatment purposes without a signed patient authorization.
  3. The Privacy Rule permits communication with patients, providers, and others by e-mail, telephone, or facsimile, with the implementation of safeguards to protect patient privacy. During your risk analysis you will have discovered how data flows in and out of your network so you can apply reasonable and appropriate safeguards.
  4. Medical providers may use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule.
  5. HIPAA requires reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures, including when providing telehealth services.
  6. Medical providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services.
  7. The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard telephone line. Keep in mind traditional landlines are being replaced with Voice over Internet Protocol (VoIP) and mobile technologies that use the Internet, cellular, and Wi-Fi. Medical providers using telephone systems that transmit ePHI need to apply the HIPAA Security Rule safeguards to those technologies.
  8. Medical providers must enter into a business associate agreement (BAA) with a telecommunication service provider (TSP) only when the vendor is acting as a business associate.
  9. If using a telephone to communicate with patients, a BAA is not required with a TSP that has only transient access to the PHI it transmits, because the vendor is acting merely as a conduit for the PHI.
  10. The Privacy Rule does not cut off all communications between medical providers and the families and friends of patients. If the patient does not object, you may:
    • share needed information with family, friends, or anyone else a patient identifies as involved in his/her care.
    • disclose information when needed to notify a family member or anyone responsible for the patient’s care about the patient’s location or general condition.
    • share the appropriate information for these purposes even when the patient is incapacitated if doing so is in the best interest of the patient.
  11. Medical providers may report child abuse or neglect to appropriate government authorities. 
  12. Patient right of access is another area that has been confusing for medical practices. When possible, you should obtain the request for medical records in writing. However, you may not require a patient to come to the office to complete the authorization if it would cause a hardship, or if they do not have access to email or a fax machine. You must still verify that the person requesting the information has the right to do so. You may do this by asking verification questions and/or calling them back at the number you have on file.

If there are other areas that you have questions about please do not hesitate to contact us!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:


Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC