Q: It is my understanding that we can make PHI disclosures using our EHR for payment/treatment/healthcare operations without a consent and that we do not need to track these requests for an accounting of disclosures. Has this changed?
Too often, organizations fall for common HIPAA myths and erroneously incorporate them into otherwise sound, good-faith compliance efforts. That can lead to wasted time and resources, duplicative work, or even outright noncompliance.
Q: A local school has asked us to come in and provide flu shots to the students and staff. Do we need to ask each person who gets the shot to sign our Notice of Privacy Practices (NPP), or can the school do so on their behalf and provide the information to them?
Email is a routine and essential part of communication in healthcare—even when communicating PHI. But setting and enforcing HIPAA-compliant email policies continues to be tricky for many organizations.
Q: I work for a home health agency. They’ve recently instructed us not to wear scrubs, lab coats, or anything that could obviously identify us as healthcare professionals. They’ve asked us to wear more business/professional casual attire because some patients complained that their neighbors saw nurses coming into the house and were concerned it was a HIPAA violation. Is this really a HIPAA concern, or could this be considered an incidental disclosure?
