HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a large federal law that is intended to help patients in many ways. HIPAA's main effect on workers is to require you to follow rules that protect the security and privacy of patients' health information.
UW Health is committed to promoting awareness of HIPAA. This site has been established to answer practical questions for all UW Health employees, students and volunteers - i.e., all "workers." Whether you work for UW Hospital and Clinics, UW Medical Foundation, the UW Medical School, or any other UW affiliate, these pages will explain why HIPAA is important, and the general information you must know.
Can I release PHI related to a worker’s compensation claim?
All requests for manual, electronic, or faxed copies of PHI for worker’s compensation purposes must be directed to HIM Release of Information because specific state laws govern release of those records. Responding to verbal requests for PHI related to worker’s compensation cases is permitted if the following are observed: (1) measures are taken to verify the identity and authority of the person making the request; and (2) the disclosure is limited to PHI that is related to the injury claimed. For more information, see Policy 4.10 Release of Information for Worker’s Compensation Purposes.
Can I speak to or release paper, electronic, or faxed copies of PHI to a patient’s physician, home health agency, other hospital, nursing home, clinic, community agency, assisted living centers or other health care providers without written patient authorization?
Yes. Both HIPAA and Wisconsin state law permit the exchange of information between health care providers for treatment purposes without the patient’s written authorization. However, releases or disclosures of paper, electronic, or faxed copies of PHI require documentation for tracking purposes. You may track such disclosures utilizing UWHC’s Accounting of Disclosures Form. Although written authorization is not required for these types of disclosures, you still may choose to obtain their written authorization using UWHC’s Authorization for Release of Medical Information Form. Completing this form will also suffice for tracking purposes. Specific documents released must be noted on either form. Once completed, these forms should be sent to the HIM Department to be scanned into the patient’s medical record. For more information, see UWHC policies 4.13 Using and Disclosing (or Releasing) Protected Health Information and 6.23 Accounting for Protected Health Information Disclosures.
Can I verbally release or disclose PHI over the phone to the significant other/family member or friend? For example, can I discuss test results or treatment plans, or verify appointments and etc?
In general, you should not discuss test results, treatment plans, etc. with anyone but the patient or the patient’s legally authorized representative unless you get the express verbal authorization from the patient or the patient has filled out the Authorization for Verbal Communication and/or to Leave Voice Mail Messages (pdf) form.
If the person is unknown to you, you should verify that the person requesting the information is the person to whom the patient gave permission. Verification can be accomplished by asking them to provide information about the patient (date of birth, address, age, and/or medical record number). For example, if someone calls and identifies herself as the daughter of a patient and wants information about her mother, you may give her information if the mother has given verbal permission, and you verify that the caller is the daughter by asking something to the effect of “for verification purposes, can you tell me your mother’s date of birth?”
If it is not possible or practical to get the patient’s permission to discuss the information, use your professional judgment and decide whether the patient would object to the disclosure. If making a disclosure without the patient’s permission, be sure to limit what information you provide. For more information, see UWHC Policy 4.13 Using and Disclosing (or Releasing) Protected Health Information.
Can we release copies of medical records to a patient/legally authorized representative who wants copies of their medical record?
We are permitted to release copies of documents out of the medical record to a patient or their legally authorized representative only after they complete and sign the Authorization for Release of Medical Information (pdf) form. Specific documents released must be noted on the authorization form. Please refer patients to HIM Release of Information for more information on how to obtain copies of their medical records. For more information, see UWHC policies 4.13 Using and Disclosing (or Releasing) Protected Health Information and 6.23 Accounting for Protected Health Information Disclosures.
Does it matter if the patient is a current patient of an agency/hospital etc. or if the agency/hospital is just considering taking the patient upon discharge from UWHC?
No. When we communicate with healthcare providers who are considering taking a patient, we are conveying treatment related information to another healthcare provider and do not need to obtain written authorization. However, as noted above, we need to track disclosures of paper, electronic, or faxed copies of PHI. For more information, see UWHC policies 4.13 Using and Disclosing (or Releasing) Protected Health Information and 6.23 Accounting for Protected Health Information Disclosures.
If a patient just wants copies of the labs that were taken that day, or a list of the medications that he is on, or copies of immunization records, do we need to get the patient to sign an authorization form?
No, information that is directly related and necessary to provide care may be given to a patient or his/her legally authorized representative without obtaining written authorization under the treatment, payment and operations exception. Examples of such information include, but are not limited to, lab values, prescriptions, immunization records, and medication lists. However, release of such information should be documented in the patient’s chart. For more information, see UWHC Policy 4.13 Using and Disclosing (or Releasing) Protected Health Information.
What does HIPAA mean?
HIPAA the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA was enacted in part to maintain the privacy of patients' medical and personal information by creating national standards to protect individuals' medical records and other personal health information.
In short, HIPAA ensures you have control over your health information by setting boundaries on the use and release of these records. HIPAA establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information and generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
In accordance with this legal requirement, UW Health pledges to:
- Notify patients about their privacy rights and how their information can be used
- Continue implementing privacy procedures for its practice and hospital
- Train employees so that they understand and abide by the privacy procedures.
What does the term "Minimum necessary" mean in reference to HIPAA?
Another provision of the privacy rules state that access to health information must be limited to that which is minimally necessary to do the task at hand. This rule does not apply to a provider who discloses information for the purpose of treatment (e.g., a primary care physician reveals information to a referral specialist). It means, however, that UW Health must look at its electronic systems to limit information to certain groups of employees. A receptionist, for example, would not need access to a patient’s complete medical history.
What if a family member or friend from out of state calls the nurse’s station and wants to talk to the patient’s nurse or doctor? As the patient’s nurse or doctor, what kind of information can I give him?
Whenever possible, clinicians should either get the permission of the patient to talk to the person, or direct the call to the patient or the patient’s family member. Consider asking the patient to complete an Authorization for Verbal Communication and/or to Leave Voice Mail Messages (pdf) form. Measures must be taken to verify the identity and authority of the person requesting the information. Verification can be accomplished by asking them to provide information about the patient first (e.g., date of birth, age of patient, address or etc.). If it is not possible to get the permission of the patient or to direct the call to the patient’s room, staff may exercise professional judgment and determine whether the patient would agree that you could provide the information. However, you should provide limited information until you can obtain the patient’s permission. For more information, see Policy 4.13 Using and Disclosing (or Releasing) Protected Health Information.
What information is protected?
HIPAA mandates that all "individually identifiable health information" be "protected health information." It does not matter if the information is on paper, in electronic format or verbal – it must be kept confidential. This applies to all past, present or future physical or mental health care information.
"Individually identifiable information" is any information that could be used, alone or with other readily available information, to identify an individual (see below). UW Health could not, for example, call and leave a reminder on an answering machine that a particular person has a radiology appointment, because someone other than the patient may have access to the answering machine.
If a person’s individual health information is linked with any of the following unique identifiers relating to the patient or the patient’s relatives, employers or household members, it is considered "individually identifiable information" and is protected information:
- Address or parts of an address
- Birth date, hospital admission or discharge date, or other dates that are "directly related to an individual"
- Telephone or fax number
- E-mail address or URL
- Social Security number
- Medical record number
- Account number
- Health insurance plan ID number
- License or certificate number
- Driver’s license number or vehicle license plate
- Fingerprint, voiceprint, or other such identifier
- Photograph or image
- Any other unique identifying number, characteristic or code
These rules apply not only to health plans and providers, but also to plan sponsors. Employers, associations and other health plan sponsors cannot access employee/patient health information unless they have written consent from the individual. Without consent, access is limited to basic or general information only.
What is an example of a HIPAA violation?
A patient’s chart is left on a desk in a public area in a clinic (e.g., the oncology or dermatology clinic). This is a breach of confidentiality because it links the patient’s name to health care information (patient is seeing an oncologist or a dermatologist).
In some cases, this may not matter to a particular patient, but in other cases it may. Whether it matters to the patient or not, it is still a breach of confidentiality and the HIPAA requirements.
What is the difference between releasing and disclosing patient information?
Releasing and disclosing patient information is the same thing - it means sharing, transferring, providing access or divulging PHI to any person or organization outside of UW Health-related entities, whether it be verbal, manual, electronic, or by fax. See UWHC Policy 4.13 Using and Disclosing (or Releasing) Protected Health Information for more information.
When am I required to verify a person or organization that requests PHI?
Any time you do not know or recognize a person or an organization requesting PHI, you must verify that they are the person they say they are, and that they have the authority to request the information. Verification of identity and authority can be accomplished by asking for one or more of the following:
- Photo ID or badge;
- Call back number;
- Verifying information about the patient (e.g. date of birth, date of injury, medical record number etc.); or
- The request to be faxed using organizational letterhead.
For more information, see Policy 4.13 Using and Disclosing (or Releasing) Protected Health Information.
When do I need to use the Accounting of Disclosures form?
The Accounting of Disclosures (pdf) form should be completed whenever you disclose PHI to a person or organization for reasons not related to the patient’s treatment, payment for care or internal “health care operations; or when the disclosure has not been authorized by the patient or his/her legally authorized representative using the Authorization for Release of Medical Information (pdf) form. Examples of disclosures that must be "accounted for" using this form include, but are not limited to the following:
- Disclosures to outside surveyors (e.g., JCAHO, CMS, BQA)
- Disclosures to law enforcement officers
- Disclosures that are required by law (certain reports such as communicable diseases, child abuse)
- Disclosures to coroners
- Disclosures to funeral homes
For more information, see UWHC policies 4.13 Using and Disclosing (or Releasing) Protected Health Information and 6.23 Accounting for Protected Health Information Disclosures.
Where can we find information about the Notification of Privacy Practices (NPP)?
Please refer to the UWHC Patient Relations section of U-Connect.
Who does HIPAA affect?
HIPAA applies to "covered entities," defined by the act as:
- Health Plans – virtually every private or public, state or federal health insurer and health plan that provides or pays the cost of medical care, including HMOs, PPOs, most self-administered group plans, state plans, Medicare and Medicaid.
- Health Care Providers – institutions, such as hospitals, clinics, nursing homes and pharmacies; as well as individual providers, such as physicians, nurses, therapists and pharmacists; and any other provider of medical information or health services.
- Health Care Clearinghouses – organizations that process or help process health information for another covered entity, such as a billing service or a claim filing service.
In addition, HIPAA requires covered entities to identify their "business associates," defined as outside vendors that work on behalf of a covered entity and have access to personal health information. UW Health is required to have a written contract with all business associates (as defined by HIPAA) requiring those associates to also protect and keep confidential all patient health care information.
Who may receive medical information about a deceased patient?
General Medical Records: The deceased patient's personal representative, surviving spouse or surviving domestic partner (registered under Wisconsin law) may all receive information from the deceased patient's medical records. A "personal representative" is the executor (named by the patient in his/her will) or the or administrator (appointed by the probate court) of the patient's estate. If there is no surviving spouse or registered domestic partner, then any adult member of the deceased patient's immediate family (i.e., adult children, parents, grandparents, siblings and spouses of those individuals) may receive information from the deceased patient's medical records.
Treatment Records (mental health, substance abuse, and developmental disabilities): Information from a deceased patient's treatment records may be shared with the executor, administrator or other court-appointed personal representative of the deceased patient's estate. If there is no personal representative, then the patient's surviving spouse may obtain information. If there is no surviving spouse, then any responsible member of the patient's family may obtain information. (Note that Wisconsin law does not give the registered domestic partner a right to obtain information.)
Verification of Status: UWHC staff should verify the status of the requestor to the patient before disclosing information from a deceased patient's medical or treatment records. This may be done by obtaining copies of the relevant legal documents (i.e., will naming the individual as executor of patient's estate, court order naming the individual as administrator of patient's estate, marriage certificate, registration of domestic partnership, birth certificate). In some situations, interactions with family will sufficiently verify the status of the spouse, registered domestic partner, children, etc.
Who should you refer a patient to if he or she has a complaint about HIPAA policies?
Patients may contact our Patient Relations Department at (608) 265-0400.
Acknowledgement for Receipt of Privacy Practices (UWHC)