Question about HIPPA and faxes...

Nurses General Nursing

Published

I am sure there will be someone out there who can help me find the answer to this question...

We were told today at work that EVERYTHING we fax must have a cover sheet on it. This is suppose to include information faxed internally too. Our physician order sheets are carbon-less copies that we pull the copy off and fax the med orders to our pharmacy. Now we are told that even those papers will have to have a cover sheet. We fax AT least 100 times to pharmacy in 12 hour shift....sure seems like an awful lot of paper waste. I totally understand the need to have cover sheets when we are faxing something outside of our facility, but internally? :rolleyes: Please, someone tell me that our administration is going overboard with this. They have a tendency to do that....Thanks...

Originally posted by Talino

Check this out..

I'm not sure what you wanted us to check out on the HHS web site, but here is a quote:

"Security standards. In August 1998, HHS proposed rules for security standards to protect electronic health information systems from improper access or alteration. In preparing final rules for these standards, HHS is considering substantial comments from the public, as well as new laws related to these standards and the privacy regulations. HHS expects to issue final security standards shortly."

If you know your HIPAA history, you'll know that these security standards have been expected for quite some time and keep getting delayed. Also, for those that are not aware, the privacy regulations were changed substantially between the final draft proposals and the published provisions. The incidental disclosure rule I mentioned earlier is an example of something that substantially changed at the very end. HIPAA consultants like Mr. Fox were portending gloom and doom for YEARS prior to the release of the privacy regs. We were told for example, that we would be unable to discuss patients except in soundproof rooms. The way the original regs were written, one could well have interpreted things that way. Now, common sense has prevailed and it's business as usual in this regard. We are able to discuss patients pretty much as we've always done. The point is that EVERYTHING in relation to the security regs, including this lawyer's website, is speculation at this point. We simply don't know what the final rules are going to say in regard to this issue. To insinuate otherwise is misleading.

Originally posted by Talino

"ADMINISTRATIVE PROCEDURES

Include a pre-printed confidentiality statement on all fax cover sheets. The statement should instruct the receiver to destroy the faxed materials and contact the sender immediately, in the event that the transmission reached him/her in error."

I think you're misinterpreting this. It's one thing to say that all fax cover sheets should have a confidentiality statement, it's another entirely to assume from that statement that coversheets are required in all circumstances. I fully agree that when faxing anything containing PHI to someone outside the organization, that a confidentiality statement is needed. I don't agree that such a statement is needed if the fax is sent internally. Generally all hospital employees sign a confidentiality agreement as a condition of employment. As such, my opinion is that adding confidentiality statements to internal paperwork is unneeded and a waste of time and paper.

Originally posted by Talino

You're correct he's a lawyer all right, but check out his bio in the bottom of this page...

http://www.hipaadvisory.com/action/legalqa/hipaalaw.htm#SteveFoxBio

I sure wouldn't mine an expert's opinion.

There's nothing wrong with opinions; I like opinions. Just don't decide his opinion is gospel because the guy's a lawyer with some healthcare experience. Even Mr. Fox has a disclaimer on his website that says:

"Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice."

That's good advice. There are often state provisions that conflict with, or supersede HIPAA, so it's always advisable to have your own "expert" review this before drawing any conclusions.

To me making policies to coincide with provisions of a proposed rule that won't be enforced for at least 2 years is a bit excessive. What's to say the provisions won't change? Personally, I'll wait till things are finalized before changing any of my policies. (I'm the HIPAA Security Officer for my organization.)

Originally posted by Talino

Your absolutely right ;), thanks to a free info site...

I don't think I understand this comment, but your posts sure are starting to sound like an add for the website you quoted! :) I'm not saying there's anything wrong with that site in particular, but putting all your eggs in one basket, (so to speak) is never a good idea.

Thanks,

Scott

Up Vote Up Vote ×
Specializes in Vents, Telemetry, Home Care, Home infusion.

since i'm "hip with hipaa" as my agency's privacy officer and responsible for implimentation standards, found updated info at cms website tonight.

frequently asked questions about the hipaa privacy rule

can a physician's office fax patient medical information to another physician's office?

response: the privacy rule permits physicians to disclose protected health information to another health care provider for treatment purposes. this can be done by fax or by other means. covered entities must have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information that is disclosed using a fax machine. examples of measures that could be reasonable and appropriate in such a situation include the sender confirming that the fax number to be used is in fact the correct one for the other physician's office, and placing the fax machine in a secure location to prevent unauthorized access to the information. see 45 c.f.r. 164.530©.

no mention of coversheet here---would think same applies to pharmacy.karen

other questions repeatedly asked here:

can physician offices use patient sign-in sheets or call out the names of patients in their waiting rooms?

response: yes, covered entities such as physician offices may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. the privacy rule explicitly permits certain "incidental disclosures" that occur as a by-product of an otherwise permitted disclosure-for example, the disclosure to other patients in a waiting room of the identity of the person whose name is called. however, these "incidental" disclosures are permitted only to the extent that the covered entity has applied reasonable and appropriate safeguards (45 c.f.r. 164.530©), and implemented the minimum necessary standard, where appropriate (45 c.f.r. 164.502(b) and 164.514(d)). for example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem). for more information, see the preamble to the final modifications to the privacy rule (67 fed. reg. 53182, 53193-95 (august 14, 2002)).

a clinic customarily places patient charts in the plastic box outsi de an exam room. it does not want the record left unattended with the patient, and physicians want the record close by for fast review right before they walk into the exam room. will the privacy rule allow the clinic to continue this practice?

response: yes, the hipaa privacy rule permits this practice as long as the clinic takes reasonable and appropriate measures to protect the patient's privacy. the physician or other health care professionals use the patient charts for treatment purposes. incidental disclosures to others that might occur as a result of the charts being left in the box are permitted, if the minimum necessary and reasonable safeguards requirements are met. as the purpose of leaving the chart in the box is to provide the physician with access to the medical information relevant to the examination, the minimum necessary requirement would be satisfied. examples of measures that could be reasonable and appropriate to safeguard the patient chart in such a situation would be limiting access to certain areas, ensuring that the area is supervised, escorting non-employees in the area, or placing the patient chart in the box with the front cover facing the wall rather than having protected health information about the patient visible to anyone who walks by. each covered entity must evaluate what measures are reasonable and appropriate in its environment. covered entities may tailor measures to their particular circumstances. see 45 c.f.r. 164.530©.

full faq at:

http://www.hhs.gov/ocr/faqs1001.doc

Up Vote Up Vote ×
Specializes in ER CCU MICU SICU LTC/SNF.

...well Scott, I was responding to your comment about HIPAA being only a "proposal" and nothing final. If you actually read the link I posted (check this out), you would have noticed "Electronic Health Care Transactions (final rule issued)", which was the thread is about, eh? I do want to see your source when you claimed it's still a "proposal."

...lol, being a "promoter for the website", I simply share info, up to the reader to decide.

...and 'am glad you read the lawyer's bio. And no, I don't work for him either, nor do I consider his opinions a gospel. I use the internet a lot for research. How 'bout posting some resource sites, luv to file them up in my favorites. And don't use google, 'been there already ;)

================================

BTW, NRSKarenRN, your contributions are always admirable, and you always use a reference. :kiss

Up Vote Up Vote ×

First of all, we need to clarify some things. Faxing is not an electronic transaction issue. It is a privacy and security issue.

There are essentially 3 major parts to the HIPAA Administrative Simplification rules. First, there is Transaction and Code Sets. Final rules for this were published in 2000 and companies had until Oct 16 of this year to either become compliant or file a 12-month extension. This particular standard deals with the standardization of data elements used in electronic medical transactions. It has nothing to do with faxing. The US Department of Health & human Services, Centers for Medicare & Medicaid is responsible for this portion of HIPAA.

The next portion of the Administrative Simplification is the Privacy rules. This portion deals with the privacy and confidentiality of protected health information (PHI). These rules deal with things like defining PHI, who is and who is not a covered entity, various business partnerships, chain of trust, disclosure rules, etc. The privacy rules are finalized. Right now, compliance with this portion is mandatory by April 2003. Thankfully, 75-80% of the privacy regulations are things many healthcare providers were already doing.

The final portion of the Administrative Simplification is Security. This portion deals with how to insure privacy of PHI and security of electronic PHI data. The security rules have not been finalized yet. At this time, Secretary Thompson of the HHS has said we can expect these on December 27 of this year. If this happens, we will have until March 2005 to become compliant with these rules. I'm not holding my breath waiting on these because they have been delayed numerous times.

I hope this is all clear. My point is that some portions of HIPAA are final rules, but the most critical part in relation to faxes is the security rules. As I've stated, I personally think it's premature to make a policy that all faxes need cover sheets based on proposed rules.

If you don't like my opinion, try:

http://www.hipaacomply.com/Recent%20FAQ_F.htm

Also since you seem to want me to post additional websites, here's a list:

The site mentioned above. (not necessarily better than the one's listed before in this thread, but it's nonetheless a good reference site):

http://www.hipaacomply.com/

Check out the FAQ section especially.

Initial Oversight and Administrative Simplification:

US Department of Health & Human Services, Office of the Assistant Secretary for Planning and Evaluation:

http://aspe.hhs.gov/admnsimp/

see also:

http://aspe.hhs.gov/admnsimp/pl104191.htm

This is the text of the original HIPAA law.

Transaction and Code Sets:

US Department of Health & Human Services, Centers for Medicare & Medicaid:

http://cms.hhs.gov/hipaa/hipaa2/default.asp

Other sites related to transaction standards:

http://www.hipaa-dsmo.org/

http://snip.wedi.org/

Privacy:

US Department of Health & Human Services, Office for Civil Rights:

http://www.hhs.gov/ocr/hipaa/

http://www.hhs.gov/ocr/hipaa/finalreg.html

I hope this clears up some things for all involved.

Thanks,

Scott

Up Vote Up Vote ×

Thanks for all the information and links. I plan to do a little research and see what I can find to present to my boss. Like I said in my original post, our administration tends to go overboard with technicalities such as this. I sure don't want to be out of compliance with HIPAA but I don't want to have cut down a few thousand more trees if we don't have to absolutely have to. As for our administration going overboard about stuff, even the all mighty JCAHO told them during our survey in 2001 that we had TOO MUCH paperwork. That is pretty bad when the organization that is notorious for wanting documentation of when a pt wipes his butt tell us that we are overdoing the paperwork.....:eek: :rolleyes: :confused:

Up Vote Up Vote ×
+ Add a Comment