The HIPAA Privacy Rule requires UWHC to protect patients’ health information and gives patients certain rights with respect to their information. HIPAA requires UWHC to keep all protected health information (PHI) confidential unless HIPAA provides an exception to the rule, such as for treatment, payment or operational purposes, or the patient gives permission.
If you have any questions about what HIPAA requires or are concerned that HIPAA may be being violated, do not hesitate to contact the UWHC Privacy Officer.
- HIPAA Applies to Protected Health Information
- Know Patients' Privacy Rights
- Know the Administrative Rules
- Know What Work Activities Do Not Require Patient Permission
- Know What Work Activities Require Patient Permission
- Make Sure Our Associates Are Following HIPAA Rules
- Privacy Considerations: Health Care Fundraising
- Safeguarding Patient Information at Work
- Take Common-Sense Steps (Safeguards) Around Patient Information
- Use or Disclose Only the Minimum Necessary Patient Information
- Using PHI and the Minimum Necessary Rule
Why do I need to know the HIPAA Privavy Rules?
Any worker could walk by a wastebasket with patients' documents inside, or could overhear patients talking about their health in a public area. If any of us read patient documents taken from a wastebasket, or told a friend what we overheard patients saying, then we would be violating patient privacy. Because any worker could violate patient privacy, the government requires all of us to learn HIPAA's privacy rules.
Take Common-Sense Steps (Safeguards) Around Patient Information
he first thing you must do is take common-sense steps to protect patient information in your work area. HIPAA says you must "safeguard" patient information in your work area, so others won't come into contact with it. If patients or others see information that is not protected, they can file a formal HIPAA complaint.
Here are some "safeguards" you should take to avoid HIPAA complaints:
- If you see a medical record in public view where patients or others can see it, cover the file, turn it over, or find another way to protect it.
- If you must talk about patients, try to lower your voice and prevent others from overhearing the conversation. Where possible, you should hold conversations about patients in private areas.
- When medical records are not in use, store them in offices, shelves, or filing cabinets. Lock these areas when possible, especially after business hours.
- Remove patient documents from faxes and copiers as soon as you can.
- When you throw away documents containing patient information, you should put the documents in confidential bins for shredding.
- You should follow these safeguards as soon as possible. In the future, the government will issue HIPAA security rules that will tell you how to safeguard patient information kept on computers.
If you have questions about the safeguard requirement, please contact your supervisor or a HIPAA Privacy Officer.
Use or Disclose Only the Minimum Necessary Patient Information
If you use patient information, or disclose it to others outside the UW Health system, it's important you know about HIPAA's minimum necessary rule. Under the minimum necessary rule, you must ask yourself this: Am I using or disclosing more patient information than I need to do my job?
If you use or disclose more patient information than you need, then you have violated the minimum necessary rule. Here are some examples of how the minimum necessary rule affects workers.
Example 1: A custodian sees a patient's medical documents in a shredder bin.
- What is OK: It is fine for the custodian to pick up the documents and feed them in the shredder.
- What violates the minimum necessary: The custodian would violate the minimum necessary rule if the custodian picked up the documents and read them.
Example 2: A receptionist is asked to schedule an appointment for a patient, and the receptionist recognizes the patient is a neighbor.
- What is OK: The receptionist can open the patient's medical record and write the appointment time inside.
- What violates the minimum necessary: The receptionist cannot read the patient's (neighbor's) full medical history out of curiosity. Also, the receptionist cannot go home and disclose information about the patient to the receptionist's family.
You may find more complicated examples in your work duties. Please contact your supervisor or a HIPAA Privacy Officer if you have questions about the minimum necessary rule.
Know What Work Activities Require Patient Permission
HIPAA has specific rules for workers who deal with patient information all the time. One rule says that workers- especially clinical staff - must get patients' permission to do certain activities.
Work Activities That Require Written Permission (Authorization)
There are certain activities that workers cannot do with patient information, unless the patient signs a special HIPAA authorization form. Workers must get a patient's HIPAA authorization before doing the following activities:
- Many research activities
- Many marketing activities
- Many fundraising communications
- Making disclosures to patients' attorneys
If you perform these activities, you will need to get patient authorizations. Some of you are currently getting signed forms for other activities as well, however. And this brings up an important point about HIPAA. HIPAA sets a minimum standard for patient privacy. If state law or UW Health's own policies require us to do more for patients, then we must do more. If you are already getting written permission for an activity, keep it up: HIPAA does not remove any of our current patient permission and signature rules.
Workers affected by HIPAA's written permission rules will receive additional training.
Work Activities That Require Spoken Permission (i.e., Patient Must be Given a Chance to Object)
There are certain activities that workers cannot do unless you get the patient's spoken permission. The patient must be given a chance to object to the activity, i.e., a chance to say yes or no.
- Disclosures to family members and close friends. Before we can tell a patient's family member or friend how the patient's treatment is going, we must ask the patient, and make sure the patient does not object.
- Disclosures in a facility directory. The UW Hospital can list an inpatient's name, room number, condition, and religion in a directory, so long as the patient is told about this, and does not object.
Please contact your supervisor or a HIPAA Privacy Officer if you have questions about the activities above that require permission (authorizations, or chance to object).
Know What Work Activities Don't Require Patient Permission
As just discussed, workers need to get patients' permission to do certain activities. However, there are many, many activities you can do with patient information that don't require permission.
Workers Don't Need Permission to Do Everyday Health Care Activities (Also Called "TPO")
Workers - especially clinical staff - should know HIPAA doesn't require patient permission for many everyday health care activities. HIPAA says that no patient permission is needed for you to perform the everyday functions of "Treatment," "Payment," and "health care Operations," which are together called "TPO."
- Treatment. You don't need permission to use or disclose patient information if you are treating a patient, or making arrangements to treat a patient.
- Payment. You don't need permission to use or disclose patient information if you are creating bills, or coordinating billing with patients, health insurance companies, and others.
- Health Care Operations. You don't need permission to use or disclose patient information if you are doing "operational" activities like training medical students, preventing fraud and abuse, meeting licensing and accreditation requirements, and reviewing how well clinical workers did their jobs (i.e., quality assurance).
HIPAA does not require permission for these everyday "TPO" activities. But once again, if you are already getting written permission for an activity - even a TPO activity - you must keep it up. Workers involved with TPO will receive additional HIPAA training.
Workers Don't Need Permission to Do Certain Activities that Benefit the Public
In addition to everyday/TPO activities, there are other activities workers can do without getting patients' permission. No patient permission is needed for the following activities, which all benefit the public.
- Public health activities, like arranging organ donations, reporting medical product defects, and reporting statistics like disease rates.
- Disclosures to authorities, like police or courts, when required by law.
- Disclosures for certain employment or workers' compensation purposes.
It is important for workers - especially clinical staff - to know that these activities don't require permission. Please contact your supervisor or a HIPAA Privacy Officer if you have questions about TPO activities or activities that benefit the public (i.e., activities that don't require patient permission).
Know Patients' Privacy Rights
HIPAA gives patients certain rights that workers must know and follow.
- The right to request alternative communications. Under HIPAA, patients can ask workers to contact them in a certain way. For example, a patient may ask a nurse, "Can you not call me at work, and leave a message on my voicemail instead?" If a patient's request is reasonable, UW Health providers must follow it.
- The right to look at (and make copies of) records. Like under state law, HIPAA allows patients to ask to look at their medical and billing records, and request copies.
- The right to ask for changes to medical and billing records. Patients can ask UW Health providers if their medical or billing records can be changed. If we decide the changes are appropriate, we may agree to do this.
- The right to get a list of certain disclosures. If a worker discloses patient information to outside persons or organizations, and that disclosure is the type that benefits the public (as defined earlier), the worker must record the disclosure on a list. Patients have the right to see this list, and get a copy of it.
- The right to request restrictions on how patient information is used and disclosed. Patients can ask UW Health providers to restrict the ways we use their patient information. However, we cannot guarantee to apply a restriction at all times because of the number, complexity, and nature of the services we deliver.
- The right to receive a Notice Form. UW Health providers must give a Notice of Privacy Practices form to every patient. The Notice Form describes our privacy practices, and HIPAA privacy rules. Each patient is asked to sign a sheet acknowledging he or she received the Notice Form. Once a patient has been given a UW Health provider Notice Form, he or she does not need to be given a Notice Form again at any of the other UW Health provider locations
A patient may ask workers - including yourself - about these rights. Please contact your supervisor or the UWHC Privacy Officer if you have questions about patient rights. Also see UWHC Policy 6.23: Accounting for Protected Health Information Disclosures.
Make Sure Our "Associates" Are Following HIPAA Rules
The next HIPAA rule tells you to make sure outsiders are following the rules you learned above. During your workday, you may run into outside businesses and individuals ("associates") who provide services to UW Health providers. Some of our associates need to see patient information in order to provide their services.
You may recognize these examples of associates who see patient information when performing services for us:
- Transcription agencies
- Collection agencies
- Attorneys hired to represent UW Health providers
- Vendor representatives who use patient information
UW Health providers are making our associates follow the same HIPAA rules that you've just learned to follow. If you have reason to believe an associate is not following the privacy rules, please notify your supervisor, or a HIPAA Privacy Officer.
Know the Administrative Rules
The last basic thing you should know about HIPAA, is it requires UW Health providers to follow several administrative rules.
- We must train workers. All workers must have HIPAA training, i.e., read discussions like this, and learn additional requirements when necessary.
- We must create policy and procedure forms. UW Health providers must make "policy and procedure" forms that describe the rules above in greater detail.
- We must accept patients' (and others') privacy complaints. Patients and others can make HIPAA complaints to UW Health providers, and to the government. The Notice Form will tell patients how and where to make complaints.
- We must correct workers' HIPAA violations. UW Health providers must correct rule violations. Workers' violations will usually be unintentional, so our usual response will be to educate workers about the rules. However, workers who violate the rules repeatedly or intentionally may face more serious consequences. The consequences range from an oral warning to even termination. (This process will be similar to processes we currently have for patient privacy violations). By correcting workers' HIPAA violations, UW Health providers will better achieve our goal of protecting patient privacy. If UW Health providers do not fulfill our obligations to patient privacy, and do not correct HIPAA violations, the federal government may penalize or fine our organizations.
- We must get Privacy Officers. HIPAA requires that UW Health providers appoint Privacy Officers, to help workers learn the privacy rules. Please feel free to contact the Privacy Officers at any time to learn more about HIPAA.