Question about HIPPA and faxes... - page 2

I am sure there will be someone out there who can help me find the answer to this question... We were told today at work that EVERYTHING we fax must have a cover sheet on it. This is suppose to... Read More

  1. by   NRSKarenRN
    since i'm "hip with hipaa" as my agency's privacy officer and responsible for implimentation standards, found updated info at cms website tonight.

    frequently asked questions about the hipaa privacy rule

    can a physician's office fax patient medical information to another physician's office?

    response: the privacy rule permits physicians to disclose protected health information to another health care provider for treatment purposes. this can be done by fax or by other means. covered entities must have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information that is disclosed using a fax machine. examples of measures that could be reasonable and appropriate in such a situation include the sender confirming that the fax number to be used is in fact the correct one for the other physician's office, and placing the fax machine in a secure location to prevent unauthorized access to the information. see 45 c.f.r. 164.530(c).

    no mention of coversheet here---would think same applies to pharmacy.karen

    other questions repeatedly asked here:
    can physician offices use patient sign-in sheets or call out the names of patients in their waiting rooms?
    response: yes, covered entities such as physician offices may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. the privacy rule explicitly permits certain "incidental disclosures" that occur as a by-product of an otherwise permitted disclosure-for example, the disclosure to other patients in a waiting room of the identity of the person whose name is called. however, these "incidental" disclosures are permitted only to the extent that the covered entity has applied reasonable and appropriate safeguards (45 c.f.r. 164.530(c)), and implemented the minimum necessary standard, where appropriate (45 c.f.r. 164.502(b) and 164.514(d)). for example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem). for more information, see the preamble to the final modifications to the privacy rule (67 fed. reg. 53182, 53193-95 (august 14, 2002)).

    a clinic customarily places patient charts in the plastic box outsi de an exam room. it does not want the record left unattended with the patient, and physicians want the record close by for fast review right before they walk into the exam room. will the privacy rule allow the clinic to continue this practice?
    response: yes, the hipaa privacy rule permits this practice as long as the clinic takes reasonable and appropriate measures to protect the patient's privacy. the physician or other health care professionals use the patient charts for treatment purposes. incidental disclosures to others that might occur as a result of the charts being left in the box are permitted, if the minimum necessary and reasonable safeguards requirements are met. as the purpose of leaving the chart in the box is to provide the physician with access to the medical information relevant to the examination, the minimum necessary requirement would be satisfied. examples of measures that could be reasonable and appropriate to safeguard the patient chart in such a situation would be limiting access to certain areas, ensuring that the area is supervised, escorting non-employees in the area, or placing the patient chart in the box with the front cover facing the wall rather than having protected health information about the patient visible to anyone who walks by. each covered entity must evaluate what measures are reasonable and appropriate in its environment. covered entities may tailor measures to their particular circumstances. see 45 c.f.r. 164.530(c).

    full faq at:
  2. by   Talino
    ...well Scott, I was responding to your comment about HIPAA being only a "proposal" and nothing final. If you actually read the link I posted (check this out), you would have noticed "Electronic Health Care Transactions (final rule issued)", which was the thread is about, eh? I do want to see your source when you claimed it's still a "proposal.", being a "promoter for the website", I simply share info, up to the reader to decide.

    ...and 'am glad you read the lawyer's bio. And no, I don't work for him either, nor do I consider his opinions a gospel. I use the internet a lot for research. How 'bout posting some resource sites, luv to file them up in my favorites. And don't use google, 'been there already


    BTW, NRSKarenRN, your contributions are always admirable, and you always use a reference. :kiss
  3. by   Scott_T
    First of all, we need to clarify some things. Faxing is not an electronic transaction issue. It is a privacy and security issue.

    There are essentially 3 major parts to the HIPAA Administrative Simplification rules. First, there is Transaction and Code Sets. Final rules for this were published in 2000 and companies had until Oct 16 of this year to either become compliant or file a 12-month extension. This particular standard deals with the standardization of data elements used in electronic medical transactions. It has nothing to do with faxing. The US Department of Health & human Services, Centers for Medicare & Medicaid is responsible for this portion of HIPAA.

    The next portion of the Administrative Simplification is the Privacy rules. This portion deals with the privacy and confidentiality of protected health information (PHI). These rules deal with things like defining PHI, who is and who is not a covered entity, various business partnerships, chain of trust, disclosure rules, etc. The privacy rules are finalized. Right now, compliance with this portion is mandatory by April 2003. Thankfully, 75-80% of the privacy regulations are things many healthcare providers were already doing.

    The final portion of the Administrative Simplification is Security. This portion deals with how to insure privacy of PHI and security of electronic PHI data. The security rules have not been finalized yet. At this time, Secretary Thompson of the HHS has said we can expect these on December 27 of this year. If this happens, we will have until March 2005 to become compliant with these rules. I'm not holding my breath waiting on these because they have been delayed numerous times.

    I hope this is all clear. My point is that some portions of HIPAA are final rules, but the most critical part in relation to faxes is the security rules. As I've stated, I personally think it's premature to make a policy that all faxes need cover sheets based on proposed rules.

    If you don't like my opinion, try:

    Also since you seem to want me to post additional websites, here's a list:

    The site mentioned above. (not necessarily better than the one's listed before in this thread, but it's nonetheless a good reference site):
    Check out the FAQ section especially.

    Initial Oversight and Administrative Simplification:
    US Department of Health & Human Services, Office of the Assistant Secretary for Planning and Evaluation:
    see also:
    This is the text of the original HIPAA law.

    Transaction and Code Sets:
    US Department of Health & Human Services, Centers for Medicare & Medicaid:

    Other sites related to transaction standards:

    US Department of Health & Human Services, Office for Civil Rights:

    I hope this clears up some things for all involved.

    Last edit by Scott_T on Nov 21, '02
  4. by   deespoohbear
    Thanks for all the information and links. I plan to do a little research and see what I can find to present to my boss. Like I said in my original post, our administration tends to go overboard with technicalities such as this. I sure don't want to be out of compliance with HIPAA but I don't want to have cut down a few thousand more trees if we don't have to absolutely have to. As for our administration going overboard about stuff, even the all mighty JCAHO told them during our survey in 2001 that we had TOO MUCH paperwork. That is pretty bad when the organization that is notorious for wanting documentation of when a pt wipes his butt tell us that we are overdoing the paperwork.....