Even though HIPAA has been around for many years, there are still a number of myths regarding the use of your protected health information (PHI) that your doctor shares with other providers. Several of these myths come from a simple misunderstanding regarding specific sections of the HIPAA regulations and how the regulations relate to you, the health care consumer. Below are the five most common HIPAA myths, and how HIPAA really affects you.
MYTH #1: Your doctor cannot share your PHI with anyone unless they have your authorization.
TRUTH: Your doctor can provide your PHI to a specialist without your written permission. In fact most people expect that they do! HIPAA does not have a provision that requires you to give your authorization prior to your doctor sharing your confidential medical information with another provider. In simple terms, yes, your doctor can share information with another provider without your approval.
MYTH #2: Whiteboards and sign-in sheets are off-limits.
TRUTH: Some practices have found ways to abandon the use of white boards and sign-in sheets. However, these tools can still be used as long as the information on them does not include PHI. For example, you should not find your name and your diagnosis on the sign-in sheet. Also, the practice can keep the clip-board with the sign-in sheet behind the registration desk, and a white board may only be placed where it is visible to the practice's staff. Such areas include a medication area or behind a nurse's station.
MYTH #3: A practice must store their patient paper medical records in a locked cabinet.
TRUTH: It is not necessary for the doctor to lock up your paper medical records, but they do need to be protected in a secure area with limited access. Most medical records are kept together in a practices' office and are locked when the staff leaves in the evening. When you next go to the doctor look for where the records are kept. If you do not find the medical records in a room by themselves, then you may find them behind the registration desk in stacked file drawers.
MYTH #4: A practice may not post photographs of patients.
TRUTH: Posting photographs of patients does not violate HIPAA if the photographs are posted for a real patient care or a business reason. Therefore, if you send your doctor a photograph for Christmas, be prepared to see it posted on the wall as you do in your friend's house when you visit for the holiday. Just keep in mind that many doctors have stopped posting the photographs that they receive in the mail from patients.
MYTH #5: You must sign a notice of privacy practices (NPP) each time you visit your doctor's office or the hospital.
TRUTH: There is no HIPAA requirement that you be given a NPP on each visit and be asked to sign the document. The only time you need to receive and sign a new NPP is if your doctor or the hospital makes major changes to the NPP. Many doctors' offices and the hospital offices are solving a business issue by giving you an NPP each time you use their services. This way they do not need to keep track of who they have given an NPP to. In other words, they are doing away with one level of records keeping.
Remember, HIPAA myths can strike any part of the healthcare environment. If you do not understand something ask for an explanation or research it on the HIPAA section of the BCBSA FEP website.