HIPAA & Patient Privacy

As per HIPAA, a covered entity cannot disclose protected health information unless the referenced patient (or guardian/representative) gives authorization. Or there’s an exception to that requirement.   So, what IS protected health information (PHI)?  Protected health information is information, including demographic information, which relates to:  For example, a medical record, laboratory report, or hospital bill would … Read more

HIPAA is not a “set it and forget it” rulebook. It’s a living framework that evolves as technology changes, as patient expectations shift, and as regulators redefine what qualifies as protected health information (PHI). Even if you haven’t touched your privacy policies in years, you might still be violating HIPAA today—without realizing it.  Let’s look … Read more

You’re in the middle of a busy clinic when federal agents walk through your front door. They flash their badges. “We’re from ICE,” one says. “We’re looking for someone.”  Do you let them in?  It’s a question that makes every physician and practice manager pause—not because anyone is hiding fugitives, but because we live in … Read more

Each year, there are over 100 million emergency department visits in the US. Imaging is performed in over 50% of such encounters. CT scans are performed in 20% of such visits.   Not infrequently, a surprise finding is identified.   It is estimated that an actionable incidental finding (AIF), defined as a “mass or lesion, detected by … Read more

The Department of Health and Human Services (HHS) issued a guidance document called Online Tracking Bulletin. It then revised that document. The AHA, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, sued in November 2023 arguing that HHS over-reached and that the bulletin was unlawful.  This was not … Read more

Can You Store Protected Health Information on iCloud?  No.   The information stored on a cloud provider must be transported to and stored securely. How secure? Reasonably secure. iCloud likely meets that test.  In addition, there must be a signed Business Associate Agreement (BAA) in place before Protected Health Information PHI is transferred between organizations. This … Read more

If a patient asks for their records, according to HIPAA, what records must you provide? According to HIPAA you need to send the patient their medical (dental) records. And within 30 days in the format they want. Some states, such as California, have an accelerated timeline of 15 days.   OK, so, what are “patient records?” … Read more

This question hit my desk. I’ve received some version of this same question over and over.   A plastic surgeon performed aesthetic surgery on a patient. Objectively the results look good. Subjectively, the patient disagrees.   Sound familiar?  There’s a conflict. The patient takes the conflict online. She posts photos which are a few days post-op. They … Read more

Physicians take all sorts of photographs. Some are part and parcel of a surgeon’s practice. Before and after photos of cosmetic surgery. For example. No surprises there.   Patients of Lehigh Valley Health Network were surprised that hackers obtained photos of their naked bodies while undergoing radiation treatment.   Hackers breached the network.   A Lehigh Valley Health … Read more

Generally, a patient needs to sign a HIPAA authorization form to disclose their protected health information. Unless there’s an exception. Such as addressing Treatment, Payment, or Operations (“TPO”). No written authorization is needed for such exceptions – for example, to disclose limited protected health information to resolve a financial dispute (say, a credit card chargeback … Read more