HIPAA Frequently Asked Questions
Protected Health Information (PHI)
Q: What is Protected Health Information (PHI)?
Protected Health Information (PHI) is all individually identifiable health information (18 identifiers) in any form or media, electronic or non-electronic that is held or transmitted by a group health plan or provider, including oral communication. Individually identifiable health information is information, including demographic data that relates to the past, present, or future physical or mental condition of an individual, the provision of health care to an individual, and that identifies an individual (or could reasonably be used to identify an individual). Some specific identifiers include the following:
• Names of individuals
• Dates – including birth date, admission date, and date of death
• Telephone numbers
• Fax numbers
• Social Security numbers
• Medical record number
• Health plan enrollee number
• Account numbers
• Certificate/license numbers
• Geographic units – all geographic subdivisions smaller than a state, including street address, city, county precinct, zip code
When may the plan disclose PHI
Q: May a health plan disclose Protected Health Information (PHI) to a person who calls the plan on the member’s behalf?
The privacy rules under HIPAA allow a health plan (or other covered entity) to disclose to a family member, relative, or close friend of an individual, the PHI that is directly relevant to that person’s involvement with the individual’s care or payment of care. A covered entity also may disclose PHI to persons who are not family members, relatives, or close friends of the individual, if the covered entity has obtained assurance that the person has been identified by the individual as being involved in his or her care or payment.
The Department of Health and Human Services provides these two examples of the circumstances under which a plan may disclose PHI:
• A health plan may disclose relevant PHI to an enrollee’s daughter who has called to assist her hospitalized, elderly mother in resolving a claim or other payment issue.
• A health plan may disclose relevant PHI to a human resources representative who has called the plan with the enrollee also on the line, or who could turn the phone over to the enrollee who could then confirm for the plan that the representative calling is assisting the enrollee.
Notice of Privacy Practices
Q: Must a health plan periodically notify enrollees about the availability of its Notice of Privacy Practices?
Yes. Under the HIPAA privacy rules, a health plan must remind enrollees at least every 3 years of the availability of its Notice of Privacy Practices, as well as how to obtain a copy.
Entities subject to HIPAA privacy rules
Q: Who must comply with the HIPAA privacy rules?
The following entities are subject to the HIPAA privacy rules:
• Health plans
• Health care clearinghouses
• Health care providers
Purpose of privacy rules
Q: What is the purpose of the HIPAA Privacy Rule?
The HIPAA Privacy Rule creates national standards to protect individual’s medical records and other personal health information.
Disclosures for Public Health Activities
Q: Must a health care provider obtain permission from a patient prior to notifying public health authorities of the occurrence of a reportable disease?
No. All states have laws that require providers to report cases of specific diseases to public health officials.
Q: Does the HIPAA Privacy Rule change the way in which an individual can grant another person heath care power of attorney?
No. Nothing in the Privacy Rule changes the way in which an individual grants another person power of attorney.
Q: If someone has heath care power of attorney for an individual, can they obtain access to that individual’s medical records?
Yes; however, when the provider believes that treating a person as an individual’s personal representative may endanger the individual, the provider may choose not to consider that person as the individual’s personal representative.
Q: Does a power of attorney given to a person for purposes other than health care, authorize that person to access an individual’s health information as that individual’s personal representative?
No. A power of attorney that does not specify decisions related to health care would not authorize the holder to exercise the individual’s rights under the HIPAA Privacy Rule.
Q: Does the HIPAA Privacy Rule allow parents the right to see their children’s medical records?
Yes, the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with state law.
Q: Does the HIPAA Privacy Rule provide rights for children to be treated without parental consent?
No. The Privacy Rule does not address consent to treatment. The rule addresses access to and disclosure of health information not parental consent.
IN THIS SECTION
- Contact Program Integrity
- Corporate Program Integrity Plan Overview
- Deficit Reduction Act of 2005
- Health Insurance Portability Accountability Act (HIPAA)
- HIPAA Frequently Asked Questions
- Notice of Privacy Practices
- Compliance Laws