2. After the initial training, how often do I have to train office personnel on privacy issues?
The training is germane to the responsibilities of the staff member. Changes in job descriptions or positions that allow greater access warrants additional training within a reasonable time frame following the change in responsibilities. As a practical matter, regular reminders during meetings and at least annually, training should be done and documented. All new employees should be trained as part of their initial orientation to your practice.

3. Do I have to monitor daily?
Monitoring is an important part of the privacy officer’s duties. It means actively checking to make sure the practice is adhering to the policies and procedures related to protected health information (PHI). Monitoring should be completed on a regular schedule that is sufficient to ascertain compliance with policies and procedures. You need to document when you do check. It is important to always follow your own rules to mitigate the opportunity for an error to occur but also reduce the damage if improper use or release is detected.

4. What if the information requester is the medical board or a police officer?
Many state medical boards have the right to request the original record of a patient. You need to confirm with your state if they have this access as they do in Ohio. Be sure to confirm the identity of the investigator and make a copy prior to releasing the chart.

As for a police officer, DO NOT release any information without a confirmed court order. Do not be intimidated or badgered into giving them access.

5. Who determines the “minimum necessary” when I receive a request for protected health information (PHI)?
For those requests that must meet the “minimum necessary” rule, the practice that holds the information retains the discretion to make its own “minimum necessary” determination.

6. Do I, as the privacy officer, have to review all requests for protected health information (PHI)?
For regular or recurring requests and disclosures, policies and procedures may be developed for standard protocols for staff to follow. Non-routine disclosures or requests for PHI must be reviewed on an individual basis.

7. We occasionally need to courier protected health information (PHI) such as original x-rays to another location. Do we need a business associate agreement with each courier service?
The rule does not require a business associate agreement with a person or organization that acts merely as a conduit of information, such as the U.S. Postal Service, certain private couriers and their electronic equivalents. Since no disclosure is intended and the probability is small for incidental release, no agreement is necessary.

8. As we develop additional contacts that require a business associate agreement, what exposure do we have if the business associate inappropriately releases protected health information (PHI)?
The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with business associates that protect the privacy of PHI. You are not required to monitor or oversee how business associates carry out privacy safeguards or abide by the privacy requirements of the contract. You are not responsible or liable for the actions of its business associates. 

If, however, you find out about a material breach or violation of the contract by the business associate, you must take reasonable steps to cure the breach or end the violation; if you can’t, terminate the contract with the business associate. If termination is not feasible (i.e., where there are no other viable business alternatives for the practice), the practice must report the problem to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). 

Final Standards for Privacy of Individually Identifiable Health Information. §164.504 Uses and Disclosures: Organizational Requirements. (HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacy/504.htm

9. Am I required to have business associate contracts with bio-medical equipment technicians or contractors such as plumbers, electricians, or office machines repair individuals who provide repair services?
No, such repair technicians do not require access to protected health information (PHI) to perform their services for a physician's office, so they do not meet the definition of a “business associate.” Under the HIPAA Privacy Rule, “business associates” are contractors or other non-workforce members hired to do work for you that involves the use or disclosure of PHI. 

Any disclosure of PHI to such technicians that occurs in the performance of their duties (e.g., walking through or working in file rooms) is limited in nature, occurs as a by-product of their duties, and could not be reasonably prevented. Such disclosures are incidental and permitted by the Privacy Rule. 

Definition of business associate: Final Standards for Privacy of Individually Identifiable Health Information. Subpart A - General Provisions. §160.103. Definitions. (HIPAAdvisory) http://www.hipaadvisory.com/regs/finalprivacy/160a.htm

Final Standards for Privacy of Individually Identifiable Health Information. §164.502. Uses and disclosures of protected health information: general rules. (HIPAAdvisory) http://www.hipaadvisory.com/regs/finalprivacy/502.htm

10. Mr. Green calls for a prescription renewal for his wife, Betty. He wants us to leave a message on his answering machine when the renewal has been called in to the pharmacy and what drug has been prescribed. He will be at work and not accessible by phone. His wife is too ill to take calls and he wants her to rest without trying to answer the phone. Is it okay to leave a message on his answering machine and can we tell him the name of the drug prescribed?
Betty previously notified us that her husband, Mr. Green, could be advised of any of the treatment information concerning her current illness. We had her sign an authorization that we put in her file. There is not a problem advising him of the medication and since his wife asked him to pick up the prescription, he would be aware of the medication anyway. It is acceptable to leave the message on his answering machine because he has made the request and you have noted his request on your phone slip that will be filed in the medical record.

11. Jill, one of the pharmaceutical reps. that service our office, is bringing in lunch for the doctors and staff. She will be providing a brief lecture on a new antibiotic. We usually have the lunches in our break room where the nurses are working on charts and next to the area our doctors dictate their visit notes. Is it okay to still have the rep. lunches (Jill always seemed very trustworthy)?
You do not have a business associate agreement with the rep. and she does not have the right to hear or see patients’ information. You could either have the lunch in your waiting area or plan in advance and remove all charts and request the doctors to dictate in their offices with the doors closed or wait until the lunch is completed and Jill has left.

12. Connie is my front desk receptionist. She has been with us for 10 years and has completed the HIPAA training. She continues to discuss with patients how they are doing and references the reason for their visit within earshot of the waiting room. Patients love her and I have not had a complaint. Is this a concern?
You are required not only to educate staff, but also to have some formal consequences for employees that breach confidentiality. You need to consult your policy and take the same action you would for other violations of policy. As a part of that, you need to ask her to repeat training on HIPAA.

13. Do I need to have a signed authorization to send records to another physician when I refer a patient to him/her? 
Technically the answer is no. A referral is considered “treatment.” You are not required to have an authorization to release records for treatment, payment, and health care operations (TPO) and in an emergency. However, it may be best to always get a signed authorization prior to releasing records. This can help to prevent complaints by a patient thinking that information was sent inappropriately. It also provides a record of how protected health information (PHI) has been disseminated for TPO.

14. Do I need to remodel my office so no one can see charts or overhear conversations?
In an ideal world, everything would be totally private, but the remodeling of offices is not the intent of HIPAA. “Incidental uses and disclosures” of protected health information (PHI) are things that can’t be helped. While we should make every effort to limit exposure of PHI to others, you will still be calling names in the waiting room, having file rooms that people have to walk by, and patient charts outside exam room doors. Making changes where possible to minimize exposures is great, but some disclosures can’t be eliminated.

15. Can I still fax things to other offices?
Of course you can but be sure to use a cover sheet that has a confidentiality statement on it. Also, you should verify your fax numbers. Using auto fax numbers can lead to faxes going to other than the intended receiver, so check on these regularly.

16. Can I leave information on a patient’s answering machine?
Discretion is still the order of the day. While appointment reminders may be left, do not leave test results on an answering machine. Be sure to include a statement in your privacy notice that you may be leaving messages on answering machines. Some registration screens have a place where a patient can agree to this.

17. An insurance company wants to evaluate our practice, including looking at a sample of our medical records. Do I need to get an authorization from the patient if his/her chart will be among those reviewed?
If you have a relationship with the company either as a part of a managed care contract or they are providing professional liability insurance, an authorization would not be necessary. This would be considered part of health care operations.

18. Mr. Wheeler is a regular patient who comes in at least every month or so. He is very hard of hearing and we have to shout in order for him to understand. Are we breaching his privacy if other patients overhear something about his condition due to the loud conversational level?
No, as long as you are making an effort to have him out of the main public areas when you converse; if overheard it would be considered an unintentional breach of privacy.

19. The office manager’s daughter volunteers in our office during winter break. She helps us with filing. Do we need a business associate agreement with her since she has access to protected health information (PHI)?
No, but you should set up a personnel folder for her and have her sign a confidentiality statement and provide training on privacy practices in your office.