Debunking HIPPA Myths

Shortage of Case Law Precedent May Account for Persistent Misconceptions

Implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security requirements has been a challenging endeavor for health care organizations. Many years later, the task is still complicated by myths and misinterpretations about the law and its related regulations.

The source of the myths and confusion isn’t always clear, but it seems to come from zealous privacy advocates, providers’ legal advisors who warn of legal consequences and lawsuits, and vendors eager to sell their “HIPAA-compliant” products. Today, the myths may persist because case law and precedent have been hard to come by: There simply hasn’t been a lot of actual legal enforcement of the HIPAA regulations.

Here are three of the most common HIPAA myths.

Myth #1

A health care provider may not discuss a patient’s condition or care with a family member.

Myth dispelled

Not true. In fact, the HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits a health care provider to share information that’s directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care

  • if the patient agrees or, when given the opportunity, doesn’t object, or
  • if the provider can reasonably infer, based on professional judgment, that the patient doesn't object.

This means that, for example, if the patient is incapacitated, a provider may share this information with the person when, in exercising professional judgment, they determine that doing so would be in the best interest of the patient.

Myth #2

A healthcare provider can’t disclose a patient’s data to another healthcare provider without a patient authorization.

Myth dispelled

Not true. A healthcare provider may disclose protected health information for treatment activities of a healthcare provider without an authorization

  • The provider is required to verify the identity of the person requesting information, or
  • If the identity of the person isn’t known to the healthcare provider, then they must ascertain the authority of such person to have access to the information.

A provider may rely on documentation, statement, or representation that meets the requirement if it’s reasonable.

Myth #3

Your patients must sign the HIPAA Notice of Privacy Practices.

Myth dispelled

A provider must provide the notice and make a good faith effort to obtain a written acknowledgment of the patient’s receipt of the notice. If the acknowledgment isn’t obtained, the provider must document his or her efforts to obtain it.

Provided by our partners at Nurses Service Organization
 

CORPORATE MEMBERS

1415 L Street, Suite 1000
Sacramento, CA 95814
T: (916) 441-1361
E: admin@canpweb.org

The California Association for Nurse Practitioners (CANP) provides a forum and unifying voice for more than 30,000 nurse practitioners statewide, often joining forces with other state and national organizations, to advance the profession and bridge health care needs. As the only association solely dedicated to advocating for nurse practitioners in California, we work to protect and expand the critical roles filled by NPs. As a conduit of information, we foster the dissemination of ideas, advice and standards of practice.

© 2024 California Association for Nurse Practitioners