AD Healthcare Consulting LLC
Leader in HIPAA Consulting Services
  1. May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?
    Yes, provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf, and otherwise complies with the HIPAA Rules. A covered entity (or business associate) that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies, as well as enter into the appropriate BAAs. See 45 CFR 164.308 (a)(1)(ii)(A); 164.308(a)(1)(ii)(B); and 164.502.
  2. Can a patient have a friend or family member pick up a prescription for her?
    Yes. A pharmacist may use professional judgment and experience with common practice to make reasonable inferences of the patient's best interest in allowing a person, other than the patient, to pick up a prescription. See 45 CFR 164.510(b). For example, the fact that a relative or friend arrives at a pharmacy and asks to pick up a specific prescription for an individual effectively verifies that he or she is involved in the individual’s care, and the HIPAA Privacy Rule allows the pharmacist to give the filled prescription to the relative or friend. The individual does not need to provide the pharmacist with the names of such persons in advance.
  3. Does the HIPAA Privacy Rule limit what a doctor can do with a family medical history?
    Yes, if the doctor is a “covered entity” under the HIPAA Privacy Rule. A doctor, who conducts certain financial and administrative transactions electronically, such as electronically billing Medicare or other payers for health care services, is considered a covered health care provider. The HIPAA Privacy Rule limits how a covered health care provider may use or disclose protected health information. The HIPAA Privacy Rule allows a covered health care provider to use or disclose protected health information (other than psychotherapy notes), including family history information, for treatment, payment, and health care operation purposes without obtaining the individual’s written authorization or other agreement. The HIPAA Privacy Rule also generally allows covered entities to disclose protected health information without obtaining the individual’s written authorization or other agreement for certain purposes to benefit the public, for example, circumstances that involve public health research or health oversight activities. When a covered health care provider, in the course of treating an individual, collects or otherwise obtains an individual’s family medical history, this information becomes part of the individual’s medical record and is treated as “protected health information” about the individual. Thus, the individual (and not the family members included in the medical history) may exercise the rights under the HIPAA Privacy Rule to this information in the same fashion as any other information in the medical record, including the right of access, amendment, and the ability to authorize disclosure to others.
  1. What is the difference between "consent" and "authorization" under the HIPAA Privacy Rule?
    The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment , and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs. By contrast, an "authorization" is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected information unless it also satisfies the requirements of a valid authorization. An authorization is detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.
  2. Are location information services of collection agencies, which are required under the Fair Debt Collection Practices Act, Permitted under the HIPAA Privacy Rule?
    “Payment” is broadly defined as activities by health plans or health care providers to obtain premiums or obtain or provide reimbursements for the provision of health care. The activities specified are by way of example and are not intended to be an exclusive listing. Billing, claims management, collection activities and related data processing are expressly included in the definition of “payment.” See the definition of “payment” at 45 CFR 164.501. Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity. See 45 CFR 164.501. The covered entity and its business associate would also have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act (Federal Trade Commission).
  3. Do the HIPAA Privacy Rule protections apply to the health information of deceased individuals?
    Yes, for a period of 50 years following the date of death of the individual. During this period, the Privacy Rule protects the identifiable health information of the deceased individual to the same extent the Rule protects the health information of a living individual. However, in cases where a covered entity maintains a medical records archive or otherwise maintains health or medical records that contain identifiable health information on individuals who have been deceased for more than 50 years, such information is not considered protected health information and may be used or disclosed without regard to the Privacy Rule.
View Andrea Driscoll's profile on LinkedIn