The U.S. Department of Health and Human Services published a guide, which can be accessed here. This guide explains when a healthcare provider is allowed to share a patient’s health information with the patient’s family members, friends or others identified by the patient as involved in the patient’s care under HIPAA.

No. The best practice is to leave a call back number with the patient. It is acceptable to leave messages on a patient’s voicemail. However, care should be taken to limit the amount of information disclosed in order to reasonably safeguard the patient’s privacy. Additionally, you cannot be sure the patient receives the test result if you leave a message. It is best to deliver test results directly to the patient. Be sure the conversation with the patient is documented in the patient’s medical record including the date and time of the call, the exact information given and who relayed the information.

Under the initial HIPAA privacy rule, the patient had the right to request restrictions to the use or disclosure of their private health information (PHI), but the provider did not have to agree to the restrictions. However, the Health Information Technology for Economic and Clinical Health Act (HITECH) increased the patient’s right to request restrictions on disclosure of the patient’s PHI. Now, providers must agree to patients’ requests to restrict disclosure of PHI to an insurance company if the patient paid cash for the service.

Patients have the right to request that their protected health information be amended by their healthcare provider to correct incomplete or incorrect information upon submission of a written request. (See HIPAA Privacy Rule – Standard 164.526). However, the office may deny a patient’s request for amendment if the office determines that the protected information subject to the request:

1. Was not created by the office, unless the individual provides a reasonable basis to believe that the originator of the protected health information is no longer available to act on the requested information.
2. Would not be available to the patient for inspection (see HIPAA Privacy Rule 164.524 for exceptions to a patient’s right to access protected health information).
3. Is accurate and complete.

Should a provider deny a patient’s request to amend his/her protected health information, the provider must provide the patient with a written explanation of the denial. The patient will have the right to file a statement of disagreement or to request that the office include the individual’s request for amendment and the denial with any future disclosures of the protected health information subject to the request.

A Request to Amend Protected Health Information form can be found on PICA’s website.

The HIPAA Privacy Rule (45 CFR 164.506) allows healthcare providers to share protected health information for treatment purposes without the patient’s authorization. However, if a prior healthcare provider is no longer involved in the care and treatment, you should not disclose a patient’s information without the express written consent of the patient.

The HIPAA Security Rule requires practices to notify a patient in the event that unsecured protected health information is disclosed to an unauthorized person. Unsecured protected health information means health information that is not protected by technology that renders it unusable or unreadable to unauthorized persons.

There are several steps that you must take when a breach has occurred. Contact the PICA Claims Department at (888) 444-7422 and our claims specialists will assist you on how to notify your patients of the breach.