Skip to main content About News Giving All Departments Contact Us Site Map
 University of Texas Southwestern Medical School
 
Search       
Print Friendly  
spacer Home Education Research Patient Care Faculty & Administration Resource Careers
Faculty Directory Administration Administrative Departments
| Home > Faculty & Administration > Administrative Departments > HIPAA >
HIPAA Privacy Office - Frequently Asked Questions
 Welcome 
 Policies & Procedures 
 Forms 
 Articles & Newsletters 
 Newsworthy Events 
 Training 
 Contact Us 
 

 

Frequently Asked Questions

If a patient uses an administrative assistant to schedule appointments that require discussing the patient's medical history, must that assistant be listed as a PHI designee in order to schedule said appointment?

Is it more appropriate when we contact patients to say, "I am calling from Dr. Bob Smith's office," rather than, "I am calling from the Simmons Cancer Center"? I know sometimes patients like to keep health matters private, even with their families.

I work in the Oral Surgery clinic and I have a pretty good understanding of the HIPAA regulations. However, I recently encountered a situation that I am not sure how to handle. We have a patient who is a minor, and she is also pregnant. Her parents are not aware of the pregnancy. The patient is scheduled to have a surgical procedure (wisdom-teeth extraction) done under IV sedation. The anesthesia risks, including those to the fetus, need to be explained in order to get informed consent. Can a pregnant minor sign the informed consent, or do the parents need to sign? If the parents have to sign, will we have to tell them about the pregnancy?

When can I disclose protected health information to the friends and family of the patient?

Is it a HIPAA violation to call out patients' names in the clinic waiting room?

Who do I call to report a suspected privacy violation?

Can I leave appointment reminders on the patient’s answering machine or with a family member?

I heard I need to take online HIPAA training. What do I need to do, and how do I take the training?

Must I give a Notice of Privacy Practices to every patient, or can I just post the notice in the waiting room and give a copy to those patients who ask for it?

May I discuss PHI with someone other than the patient regarding payment of a bill?

If someone has a medical power of attorney for the patient, can they obtain access to that patient’s medical record?

Does HIPAA allow students access to medical records during training?

 

Q: If a patient uses an administrative assistant to schedule appointments that require discussing the patient's medical history, must that assistant be listed as a PHI designee in order to schedule said appointment?

A: No, a designated person form is not necessary in this instance. If an administrative assistant calls to schedule an appointment for his/her boss, we can infer from the situation that the administrative assistant is privileged to limited health information and is operating under the direction of the employer. However, professional judgment must be used to determine how much information can be given to the administrative assistant, and the information must pertain to the clinic visit. For example, if fasting labs are to be drawn, the scheduler can tell the caller that the patient is not to eat or drink anything after midnight.

Go to top of page.

 

Q: Is it more appropriate when we contact patients to say, "I am calling from Dr. Bob Smith's office," rather than, "I am calling from the Simmons Cancer Center"? I know sometimes patients like to keep health matters private, even with their families.

A:Your instincts are exactly correct. It is preferable to leave the doctor's name, rather than the clinic name, on answering machines or with family members. When clinical departments are highly specialized, such as ours, the name of the clinic may imply a diagnosis. Although the HIPAA regulations do not explicitly prohibit leaving this information on a patient's answering machine, the regulations do require that we use reasonable safeguards to protect the privacy of our patients.

Go to top of page.

 

Q: I work in the Oral Surgery clinic and I have a pretty good understanding of the HIPAA regulations. However, I recently encountered a situation that I am not sure how to handle. We have a patient who is a minor, and she is also pregnant. Her parents are not aware of the pregnancy. The patient is scheduled to have a surgical procedure (wisdom-teeth extraction) done under IV sedation. The anesthesia risks, including those to the fetus, need to be explained in order to get informed consent. Can a pregnant minor sign the informed consent, or do the parents need to sign? If the parents have to sign, will we have to tell them about the pregnancy?

A: The situation you have encountered brings up the question of under what circumstance(s) a minor is able to consent for him or herself.  A minor is defined as anyone under the age of 18 and not legally emancipated by a court. HIPAA defers to state law to define when a minor can consent to medical, dental, psychological, and surgical treatment by a licensed physician or dentist. In the state of Texas, the Family Code, Title 2, Chapter 32 describes the situations under which a minor can consent, and they are as follows:

  1. A minor who is married;
  2. A minor who is on active duty with the U.S. armed forces;
  3. A minor who is at least 16 years old living on his or her own and is managing his or her own finances, regardless of the source of income;
  4. A minor who consents to the diagnosis and treatment of an infectious, contagious, or communicable disease reportable to the Health Department;
  5. A minor who consents to examination and treatment for drug or chemical addition or dependency;
  6. A minor who is unmarried and pregnant and consents to hospital, medical, or surgical treatment, other than abortion, related to the pregnancy; and
  7. A minor who is unmarried, is the parent of a child, and has actual custody of the child and consents to treatment for that child.

In the case described above, the unmarried pregnant minor has limited ability to consent. She may make medical/treatment-related decisions without her parents' knowledge or consent, but only for matters that directly involve the fetus/unborn infant. For example: she can make medical decisions about the delivery of the infant or whether to have an amniocentesis performed. 

She is not, however, able to consent to treatment if the treatment is not directly related to the pregnancy. So, in this case, the parents would be required by law to give consent for the wisdom-teeth extractions after being fully informed of all risks associated with anesthesia or the surgical procedure. This would include any risks to the fetus, if applicable.

For additional information, please refer to Ambulatory Services Policy 7.03: Consent to Treatment for the Minor Patient.

Go to top of page.

 

Q: When can I disclose protected health information to the friends and family of the patient?

A: There are specific situations when you may talk to friends and family without written authorization from the patient. For example, if the patient is present in the clinic, you may simply ask the patient if you may discuss their treatment or condition in the presence of their friends or family.

In addition, a health-care provider may verbally disclose protected health information (PHI) about a patient to a person involved in the patient’s care when the provider believes that the disclosure is in the best interest of the patient, such as when the patient does not have the capacity to communicate due to physical distress, incapacitation, or in an emergency situation.

If the patient has a legal representative, you may disclose PHI to a legal representative just as you would if they were the patient.  For more information and examples of legal representatives, go to UT Southwestern Ambulatory Services Policy 8.05: Legal Representatives.

All other situations require authorization from the patient. The patient may sign an authorization that would allow up to two individuals to communicate with physicians and staff about the patient’s treatment and condition. For more information and the appropriate authorization form, go to UT Southwestern Ambulatory Services Policy 8.04: Verbal Disclosures to Persons Involved in an Individual's Care.

Go to top of page.

 

Q: Is it a HIPAA violation to call out patients' names in the clinic waiting room?

A: No. It is not a HIPAA violation to call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. For example, you would not want to reveal the reason for the visit. The HIPAA Privacy Rule permits incidental disclosures that may result from this practice, such as when other patients in a waiting room hear the identity of the person whose name is called or see other patient names on a sign-in sheet.

Go to top of page.

 

Q: Who do I call to report a suspected privacy violation?

A: A HIPAA Hotline (ext. 8-2000) has been established for you to report suspected privacy violations or to ask HIPAA privacy-related questions.

Go to top of page.

 

Q: Can I leave appointment reminders on the patient’s answering machine or with a family member?

A: Yes. The HIPAA Privacy Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, you should take care to limit the amount of information disclosed on the answering machine to the following information:

  • The facility name (UT Southwestern Medical Center);
  • The name of the patient’s physician;
  • The appointment date and time;
  • Your name; and
  • Your telephone number in case the patient has questions or needs to reschedule the appointment.

Go to top of page.

 

Q: I heard I need to take online HIPAA training. What do I need to do, and how do I take the training?

A: New employees are notified by intercampus mail one to two weeks after their start date.  This notification will include detailed instructions as to how to access and complete the required training, as well as sign-on information.  If you have not received training instructions within two weeks, please contact either of the following individuals in the Office of Organizational Development and Training, John Morris at (214) 645-6787 or Kimberly Sallis at (214) 645-6797.

Existing employees who know their user ID and password can access the training by clicking on the HIPAA Privacy Office - Training page.

Go to top of page.

 

Q: Must I give a Notice of Privacy Practices to every patient, or can I just post the notice in the waiting room and give a copy to those patients who ask for it?

A: The Privacy Rule requires that all patients receive the Notice of Privacy Practices at the first delivery of services. If a patient has already received the Notice at another UT Southwestern clinic, you do not have to provide another Notice. You should check in IDX or Epic to see if the patient has already received the Notice. If not, you should:

  • Provide the patient with a copy of the Notice;
  • Ask the patient to sign an acknowledgement form;
  • File the Notice in the patient’s chart; and
  • Document the date in either IDX or Epic.

In addition, we are required to provide the Notice of Privacy Practices to anyone who asks for it, even if they are not yet a patient.

For more information on the Notice of Privacy Practices procedure, go to UT Southwestern Ambulatory Services Policy 8.09: Notice of Privacy Practices.

Go to top of page.

 

Q: May I discuss PHI with someone other than the patient regarding payment of a bill?

A: To protect the privacy of our patients, it is usually best to speak to the patient directly. However, in some cases the patient may need a friend, family member, or advocacy group to assist them with their account. In this situation, you may get verbal permission from the patient to allow you to speak to the caller about the patient’s account, but you must be sure to only release the minimum amount of information necessary to obtain payment for the health-care service provided. Be sure to document the verbal permission in the medical or billing records.

The patient is not required to stay on the line during the conversation or even be at the same location as the caller. For example, you may obtain the patient’s consent to speak with the caller via another phone line or three-way calling.

Go to top of page.

 

Q: If someone has a medical power of attorney for the patient, can they obtain access to that patient’s medical record?

A: Many patients may have a medical power of attorney on file in the event that they become incapacitated and are unable to make medical decisions for themselves. However, this does not give the person named in the medical power of attorney the right to obtain medical information about the patient until the attending physician certifies in writing that the patient is incapacitated and the medical power of attorney goes into effect.

Go to top of page.

 

Q: Does HIPAA allow students access to medical records during training?

A: Yes. Training of UT Southwestern students is considered health-care operations. Students who will be training at UT Southwestern, or one of the affiliated hospitals, for more than four weeks are required to complete the online HIPAA training. Visiting students who will be training at UT Southwestern, or one of the affiliated hospitals, for less than four weeks are required to complete the “HIPAA Lite” training program. Both types of HIPAA training are accessed from the HIPAA Web site.

For additional information about HIPAA training requirements, please contact either of the following individuals in the Office of Organizational Development and Training, John Morris at (214) 645-6787 or Kimberly Sallis at (214) 645-6797.

Go to top of page.

 

Home  |  Education  |  Research  |  Patient Care  |  Faculty and Administration  |  Careers
About UT Southwestern  |  News  |  Giving  |  All Departments  |  Contact Us  |  Site Map  |  Legal Disclaimer

The Digital Millennium Copyright Act of 1998  |  President's Message on Diversity  |  Privacy Policy |  Accessibility Policy


Copyright 2008. The University of Texas Southwestern Medical Center at Dallas
5323 Harry Hines Boulevard, Dallas, Texas 75390.     Telephone 214-648-3111