Q. My email remains encrypted until it is opened. I have received two requests-via email and certified letter-from the patient's parent requesting records be sent by email or mail. I know legally a person may request this, but we must provide this service when we can ensure that the person requesting is who he or she says he or she is. Does a certified letter with recognizable signature or email from a known email address of a parent qualify as verification of the parent's identity?
Q. Is it acceptable for admitting and patient registration staff to photograph patients upon check- in for identification purposes? Is it permissible to take pictures of behavioral health patients for the same purpose?
Q. Is it a HIPAA violation if a hospital receives a faxed Healthcare Effectiveness Data and Information Set (HEDIS) request and the hospital cannot identify the patient by full name, last name, or date of birth? These requests contain name, date of birth, provider, and the HEDIS Measure (Chlamydia screening, cervical cancer screening, cholesterol management, etc.) and last date of service of the patient. Typically, these faxed requests are from business associates of the patient's health insurance, but occasionally they come directly from the insurance company.
Q. A long-term care facility has deployed laptops that connect to a file server and are password protected. The laptops are not used to store PHI or other confidential data and are not removed from the facility. Do the laptop hard drives need to be encrypted?
Q. Can paper patient records be kept in a public storage unit? The storage company we are considering has a digital entry at the main gate. We would also have a keyed lock on the storage unit door.
