Confidentiality: HIPAA Program Overview

  1. Policy:

  2. HIPAA Information

    A hospital or other covered entity may, under the HIPAA Privacy Rule, notify a patient’s family or another person the patient is at their facility, according to the U.S. Department of Health and Human Services’ Office of Civil Rights. That is one of several new frequently asked questions placed on the office’s HIPAA web site www.hhs.gov/ocr/hipaa (Link opens in new window). The HHS Office of Civil Rights is responsible for enforcing the HIPAA Privacy Rule.

    The feds further clarify — if a patient is able to communicate with caregivers, a hospital or other provider facility can notify family and other persons “if the patient agrees or, when given the opportunity, does not object,” according to the new guidance.

    For instance, a physician can call a patient’s wife to let her know her husband was in a car accident and is receiving treatment, or a nurse can call a patient’s roommate.

    When a patient is not able to communicate, or it is otherwise impractical to get permission, a provider facility still can notify family or others “when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient,” according to the new guidance.

    Protected Health Information (PHI) disclosure is allowed during community death reviews if a mutual relationship exists among covered entities and the review is used to support certain health care operations relating to:

    • quality assessment and improvement activities;
    • the evaluation or review of the performance, competence, or qualification of health care professionals; or
    • to facilitate training or determine training progress.

    A physician’s office may continue to use sign-in sheets and call out the names of their patients in the waiting room as long as the information disclosed is appropriately limited.

    A patient’s medical chart may be placed at bedside or outside of the exam room door as long as the health information about the patient is not visible to anyone who walks by.

    The HIPAA Privacy Rule does not address consent to treatment. It addresses access to, and disclosure of, health information, not the underlying treatment.

  3. Violation Reporting Procedures

    • To report internal violations, contact your Privacy Officer, Becki Burton
    • To report external violations, contact your Privacy Officer, Becki Burton or see How to File a Privacy Complaint with the Department of Health and Human Services
  4. Consent Notice

    • At this time, OKDHS will not use a consent notice because they are optional and only used for a client to approve something we can do anyway.
  5. Disclosure Without Authorization

    • OKDHS is not authorized to release medical information to law enforcement agencies except for reports to DAs following investigations for abuse of children and vulnerable adults. If you have questions regarding any law enforcement request, please contact our Privacy Officer, Becki Burton.
  6. Issuing Notice

    • Privacy Notices will be issued directly to clients for whom OKDHS provides direct care, such as people who receive Targeted Case Management by DCFS, ADvantage Waiver plans of care, and residents of institutions. For all other clients, OKDHS will post the privacy notice in the waiting area of each office and give copies of the notice to all clients who ask for one.
    • Get all OKDHS HIPAA forms, including the Privacy Notice and the HIPAA-compliant Authorization form.
  7. Obtaining Acknowledgement

    • OKDHS has to get acknowledgement from a client that he or she, has received a privacy notice only if the client is receiving direct care.
Was this article helpful?

Comments or Suggestions?

We want Quest to be your source for important information that you need to succeed at in your work but we need your help:

Was this article helpful? Was it missing something you needed to get the job done?

Tell us what you think, what you know about this article. What are we doing well, and what we could do better.

All fields are required.