HIPAA dos and don’ts for disclosing Protected Health Information

By Jana Chvatal, David Finn and Robert W. Warren, M.D.

There are many state and federal laws and regulations, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Texas Health and Safety Code, which govern the privacy and security of patient information. Additionally, physicians must abide by rules issued by organizations such as the Texas Medical Board, the American Medical Association, and the Texas Children’s Hospital Medical Staff Bylaws and Rules and Regulations.

Ensuring compliance on a daily basis while navigating the myriad of requirements is difficult. The Texas Children’s Privacy Office receives many questions regarding how to comply in certain situations. Below are some common scenarios physicians may be faced with. If you have additional questions, the Privacy Office may be contacted at 832-824-2097.

Does HIPAA require me to disclose Protected Health Information (PHI)?
No, covered entities are only required by the Privacy Standards to make two disclosures. The first is to the patient upon their request, and the second is to the Secretary of the United States Department of Health and Human Services for an investigation into the activities of the covered entity.

Covered entities are permitted to make any other disclosure described in the Privacy Standard without patient authorization, however, the covered entity has the right to require patient authorization if they so choose.

Can the patient read the chart?
Yes, in accordance with hospital policy, IM 201-01, Patient Access to Protected Health Information (PHI). The patient owns the information, but the hospital owns the physical chart. The chart is used as a communication tool and is a legal document. To view the chart, a caregiver must be present at the time of the review to ensure the patient understands the information correctly, and the patient makes no modifications to the chart, or removes information from the chart.

Can the patient ask for copies of their PHI?
Yes, the HIPAA Privacy Standards give patients the right to request copies of their information. The hospital may, however, deny the release of certain information (e.g., mental health) if releasing the information could cause harm to the patient. Copies of information may be requested directly from the physician (e.g., copy of the last office visit note) or from the Health Information Management department.

Can an employee/physician look at their child’s record?
While the HIPAA Privacy Standards give patients the right to access their information, employees/physicians still must comply with hospital policy in regard to accessing their own or their child’s information. The clinic may have restrictions on what information they want patients and parents to know at a particular time, so it is important that the treating physician give the employee/physician approval to view only specific information. Access to all clinical systems is logged and tracked, so at any time a physician may be called upon to verify he or she gave approval for the employee/physician to access the information.

Can I look at my neighbor’s child’s record?
If you are a current treating physician of the patient, you may view the record. If they ask you to provide them test results because their physician has not called them with the information, you cannot view the information because you do not have a treatment relationship with the patient.

Can the patient ask me to change information in their record?
Yes, the HIPAA Privacy Standards give patients the right to request amendment to their information. The hospital or physician is not required, however, to agree with the request for reasons outlined in the Privacy Standards. Per hospital policy IM 202, Amendment of Protected Health Information, Texas Children's Hospital requires the request be in writing and has 60 days to notify the patient of the decision.

Can I use PHI in educational presentations without patient authorization?
Yes, with some best practices. It is best to de-identify the information as much as possible. If the information cannot reasonably be de-identified, only the minimum necessary PHI required for the presentation should be used. Nevertheless, it still may be prudent to obtain patient authorization if the information used is a photograph, video or very sensitive information that cannot be de-identified.

Can I identify a patient in a section conference?
It depends on the purpose of the conference. For non-treatment purposes, such as morbidity/mortality conference, the minimum necessary rule applies, and the patient should not be identified by name. The absence of the patient’s name should not change the discussion of the information, but will protect the identity of the patient. The medical record number may be used in materials to identify the patient for tracking purposes. For treatment purposes, such as section weekend check out rounds, minimum necessary does not apply, so the patient may be discussed without protecting the identity.

Can I share my password or use someone else’s to sign documents in the electronic record?
No, each user is responsible for all activity performed with their user ID. A physician cannot give their user ID to a resident, fellow or secretary to “sign” a document on their behalf. It is a compliance issue if document signature is performed by someone other than the authorized user.

Can I send an e-mail containing PHI, either in the text of the e-mail or in an attachment?
E-mail containing PHI must be sent securely. Currently, only e-mail communications between Texas Children’s Hospital and Baylor College of Medicine are secure. When sending e-mail, the minimum necessary information should be used; for instance, using the patient initials instead of the full name. This protects the patient in the event the e-mail gets forwarded somewhere other than Texas Children’s or Baylor. Texas Children’s currently is assessing an outgoing secure messaging solution to enable users to send e-mail containing PHI to addresses other than Texas Children’s or Baylor.

Jana Chvatal is manager, Privacy and Information Security Office at Texas Children's. David Finn is chief information officer, vice president and Privacy and Information Security officer at Texas Children's. Robert W. Warren, M.D., is medical director, Information Services; chair of the Medical Staff Medical Record Committee; medical director, Rheumatology; and assistant medical director, Ambulatory Services at Texas Children’s. He also is associate professor, Department of Pediatrics, at Baylor College of Medicine.

Back to top