1. Sometimes I like to consult with other physicians to discuss difficult cases. Will I have to get permission from patients before I can do this? No. Consulting with other health-care providers falls within the Privacy Rule's "treatment" category. The Privacy Rule does not require any prior consent from patients before using or disclosing information for treatment.
2. Sometimes other physicians call me to consult about their patients. Does this make me responsible for protecting that patient's medical information, even if he or she is not technically my patient? No. You are only responsible for protecting the health-care information of patients with whom you have a direct treatment relationship. HIPAA does not apply to these indirect, consultative relationships.
   The August 2002 changes to the Privacy Rule clarify that a covered entity may

1. Can I discuss a patient's condition with the following people without obtaining specific permission from the patient?
   • A pharmacist Yes. This type of discussion would be a disclosure for treatment.

• A home health-care agency or worker Yes. This type of discussion would be a disclosure for treatment.

• Hospice Yes. This type of discussion would be a disclosure for treatment

• Alternative medicine providers Maybe. It is not clear whether alternative medicine providers fall within the Privacy Rule's "health-care providers" category, so communication with them may not fall within the treatment exception.
• Psychologists, counselors, social workers Yes. A discussion with these people would be disclosures for treatment.
• Case manager Yes. Depending on the particular approach, case management falls within the definition of either treatment or health-care operations. You should refer to possible disclosures to case managers in your Notice of Privacy Practices.
• Clinical laboratories Yes. Discussing a patient's laboratory results with the clinical laboratory falls within the definition of treatment.

1. Family members of patients frequently call me to discuss the patient's condition.

• May I talk to them, or will I have to get consent from the patient first? In general, when the patient is present and is able to communicate his or her wishes, you should get the patient's oral agreement before you disclose information to family members. However, you can exercise professional judgment to infer from the circumstances that there is no objection to the disclosure (e.g., the patient brought the family member into the examining room). You may also want to ask a patient beginning a treatment relationship to identify family members who may have access to protected health information .
• What may I tell family members about the patient's condition? You may disclose to a family member, relative, or close personal friend any protected health information that is directly relevant to that person's involvement in the patient's care or payment related to the patient's care. You may also use or disclose protected health information to notify family members or others responsible for the patient of the patient's location, general condition, or death.
• What if the patient is unable to consent to the disclosure? If the patient is not present or there is no way to obtain the patient's agreement, you may exercise professional judgment to determine whether disclosing the information is in the best interest of the patient. If so, you may disclose only the information that is directly relevant to the family member or friend's involvement in the patient's care or payment related to the patient's care.
• What if the patient is a minor? Can parents access their children's records? Usually, yes. In its August 2002 changes to the Privacy Rule, the HHS clarifies that it will defer to state or other applicable law and professional practice with respect to parent access to a minor's health records. The HHS makes clear that it wishes to remain neutral on this issue, defer to state law, and preserve the status quo whenever possible.

The HHS assumes that current health-care provider practices are consistent with state law regarding parent access to minors' records and would seek to leave current practice unchanged.

1. I have heard that the Privacy Rule's requirements also apply to oral communications. Does that mean that I am required to have discussions with patients and with my colleagues about patients in private areas?
   The Privacy Rule requires that providers take reasonable steps to safeguard the safety and confidentiality of their patient's health-care information. This does not mean, for example, that doctors cannot have discussions with their patients in semiprivate hospital rooms. In the August 2002 changes, the HHS adopted provisions to explicitly permit certain incidental uses and disclosures that are secondary, cannot reasonably be prevented, are limited in nature, and occur as a byproduct of an otherwise permitted use or disclosure under the Privacy Rule.
   
   The exception for incidental disclosures would not apply in situations where there is a failure to take reasonable safeguards. It requires that providers take reasonable precautions to avoid being overheard and disclose only the minimum amount of information necessary. The HHS has suggested that the following activities are acceptable, if precautions are taken to minimize inadvertent disclosures (such as using lowered voices):

1. Does the Privacy Rule prohibit the use of patient sign-in sheets or calling a patient's name in the waiting room? In its July 2001 guidance, the HHS clarified that the Privacy Rule is not intended to prohibit these specific activities. As noted above, the August 2002 changes provided additional clarification that "customary and necessary health-care communications or practices" are generally permitted, even if they result in incidental uses or disclosures, so long as "reasonable safeguards are employed, the burden of impeding such communications are not outweighed by any benefits that may accrue to individuals' privacy interests."
   
   In the case of patient sign-in sheets, practices can continue to use them, but should collect only the minimum necessary amount of information. For example, sign-in sheets should not include the reason for the visit (chemotherapy, shots, physician visit). Practices may also want to remove the requirement that patients list the doctor who is treating them.
   
2. Does the Privacy Rule prevent me from administering chemotherapy in a group setting? Do I have to put up screens between the patient chairs? No. The exceptions in the Rule for incidental disclosures (see previous two answers) allow the delivery of chemotherapy in a group setting, as long as reasonable efforts are made to protect patients' private health information. These efforts could include lowering voices when speaking, having extensive treatment discussions in a private area, and disclosing the minimum necessary amount of information when talking with a patient. Providers should also consider making reasonable efforts to provide private rooms for chemotherapy if a patient requests privacy. Your Notice of Privacy Practices should include information about the delivery of chemotherapy in a group setting.
   
3. Because I provide chemotherapy in a group setting, my patients often develop bonds and friendships. If one of them does not show up for a weekly appointment, others are likely to ask where that patient is. Am I allowed to disclose information about that patient in his or her absence? Generally, no. The Privacy Rule requires disclosure of information only to family members and friends that a patient specifies. It is obvious that in group treatment settings bonds between patients will form and it will be difficult to avoid inadvertent disclosure of some information. Providers should use common sense in answering questions from other patients about an absent patient and disclose as little information as possible about that patient's protected information. In addition, providers should ensure that their staff policies and training materials include discussion of how to handle this particular situation.
   
4. I often refer my patients to support/counseling programs and patient advocacy groups. Can I still do this, or do I need to get the patient's consent first? According to the August 2002 changes, if this referral is considered treatment, you could disclose protected health information to the support group or patient advocacy organization without permission from the patient.
   
   However, it is not certain such referral would be considered part of the treatment process. If it is not considered treatment-you merely provide information to the patient about a support group or patient advocacy group, allowing the patient to make the contact directly-there are no privacy concerns. In general, if you contact the advocacy group or support group on the patient's behalf, you should consider obtaining authorization from the patient.
   
5. My state has a cancer registry that requires me to report information about cancer diagnoses.
   
   • Can I disclose patient information to the registry without getting authorization from my patients? Yes. The Privacy Rule permits disclosures to public health authorities, such as state cancer registries, without patient permission. However, you must include public health reporting in your Notice of Privacy Practices to patients, thereby informing them of all potential uses of their health information.

• Do I have to document reports to cancer registries when I account for disclosures?
  Yes. You must document in the accounting disclosures that you have made for public health purposes.
• Can I allow hospital cancer registrars to use my records to complete their reports? Under the Privacy Rule's public health exceptions, you may disclose information only to the public health authority directly, not to a third party. However, state laws may require cancer reporting and may authorize hospitals to obtain information from physicians. The Privacy Rule does not preempt state laws for public health reporting, surveillance, investigation, and intervention.

1. When my patients have trouble paying for the drugs they need, I sometimes help them enroll in a drug company's Patient Assistance Program (PAP). Most programs require me to submit the forms on behalf of the patient, and they require a lot of personal information to check eligibility. In addition to having patients sign the consent form for the PAP, do I need to have them sign an authorization form? According to the August 2002 changes, you would be allowed to disclose information to the PAP without consent if the PAP fell within the definition of treatment. However, because there may be some doubt about how to handle PAPs, the safest approach would be to obtain an authorization for disclosure that complies with the Privacy Rule. It is quite possible that manufacturers will include the required elements of an appropriate authorization in the PAP enrollment forms after the compliance date.
2. Do I need to get patients' authorization to use their health-care information if I have removed their names from the information disclosed? Although the Privacy Rule does not cover information that has been "de-identified", the standards for deidentifying protected health information are very strict. Merely removing the patient's name does not render the information deidentified under the Privacy Rule; instead, the Rule includes a list of 18 identifiers that must be removed before the information is considered to be deidentified. Thus, changing the patient's name probably will not be enough to permit you to disclose the information without authorization. The identifiers that must be removed are

1. Does the Privacy Rule require patient authorization in the following situations?

• Presenting the patient's case at a Morbidity and Mortality (M&M) Conference No. This situation falls within "health-care operations" as a quality improvement
  activity.
• Presenting the patient's case in a Grand Rounds It depends.; Grand Rounds would generally be considered an "educational" activity and would fall within the category of allowable treatment, payment, and health-care operations. In that situation, individual authorization is not required. However, some institutions structure their Grand Rounds as more public events, with possible attendance by individuals who are not on the hospital medical staff. In those situations, it may be best to avoid disclosing protected health information or to seek authorization for such disclosure.
• Disclosing the patient's case to a peer review organization No. Peer review activities fall within the definition of health-care operations and do not require authorization.
• Presenting the patient's case at a professional meeting (e.g., an ASCO meeting) As with Grand Rounds, professional meetings could be considered "education and training" but could also have a public audience. It would be best to get authorization or to de-identify the information.
• Discussing the patient's case with residents and interns No. This discussion would fall under either "treatment" (if the residents and interns are part of the care team) or health-care operations as part of a training program.
• Bringing the patient's case before a Tumor Board If the purpose of the disclosure is to make a treatment decision for the patient, no authorization is necessary.
• Using the patient as a case study in a journal article If you cannot de-identify the information before using it in the journal, you must obtain authorization from the patient.

1. May I schedule appointments, surgery, or other procedures for a patient who has been referred to me but whom I have not yet seen in person? Yes. The August 2002 changes permit use of patients' health information for treatment, payment, and health-care operations without their consent. However, the Final Rule requires that providers give patients their Notice of Privacy Practices and make a good faith effort to obtain patients' written acknowledgment of receipt of the Notice by no later than the date of the first service delivery. If the provider first supplies treatment information to a patient by e-mail, the provider should supply the Notice and make a good faith effort to obtain acknowledgment electronically.
   
   The only exception to the requirement for notice and patient acknowledgment is in emergency treatment situations.
2. When my patient has problems with a prescription medication or experiences adverse events, I report those problems to MedWatch or to the manufacturer of the drug. Does the Privacy Rule require me to get authorization from patients before making these reports?
   {No.} According to the August 2002 changes to the Privacy Rule, you may disclose protected health information without patient authorization to entities subject to the jurisdiction of the U.S. Food and Drug Administration (FDA) (e.g., the manufacturer) with responsibility for the quality, safety, or effectiveness of the FDA-regulated product or activity.
3. Can I discuss my patients' experiences with a particular drug with the drug company sales representative? You may report pharmaceutical adverse events and product defects to the person required or directed to report that information to the U.S. FDA (e.g., the manufacturer). However, the sales representative may not be the person charged with reporting to the FDA. Most companies have designated individuals to whom adverse events should be reported.
   
   You may not disclose protected health information to sales representatives for the purpose of sharing other experiences with a drug (e.g., efficacy, side effects) unless you have the patient's authorization.
4. Can I allow the sales representative to review patient charts to find candidates for a new medication? No. Although you may disclose information to other health-care providers without authorization for treatment purposes, the sales representative is not a health-care provider.
5. Drug companies sometimes ask me to give them the names of patients taking a particular drug for their exposure registries. Can I disclose this information without a patient's authorization? If the pharmaceutical company has been required or directed by the U.S. FDA to track the product, you may disclose protected health information to the company for that purpose without authorization from the patient. You should include FDA-required drug exposure registries in your Notice of Privacy Practices. If the FDA has not required the registry, you must obtain authorization.
6. I have heard that the Privacy Rule will not allow a pharmacy to fill a prescription I have phoned in to a pharmacy unless the patient has already signed a consent form with that pharmacy. Is that true? No. The August 2002 changes to the Rule eliminated the requirement to obtain a patient's consent for use of health information prior to treatment. By eliminating the prior consent requirement, the HHS authorizes pharmacists to fill phoned-in prescriptions without receiving advance written consent from the patient'
7. I am concerned about the Privacy Rule's "minimum necessary" requirement. Does this mean that my staff has to figure out what part of the medical record to send for every disclosure (i.e., to insurance companies, to other doctors' offices, to the hospital)? The "minimum necessary" requirement does not apply to disclosures between providers for treatment purposes, such as to other physicians' offices or to hospitals at which the patient is being treated. However, for routine disclosures related to payment and health-care operations, the Privacy Rule requires you to have standard protocols in place for limiting the amount of information disclosed to the "minimum necessary." For nonroutine disclosures, your policies and procedures must set forth ways for determining the minimum amount of information that is necessary.
   The Privacy Rule does not impose a definition of "minimum necessary." Rather, it gives providers the flexibility to make their own determinations on the basis of professional judgment. The HHS stated in its July 2001 guidance that the "minimum necessary" requirement "is not a strict standard, and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers today to limit the unnecessary sharing of medical information."
   With respect to disclosures of health information to another covered entity, the Privacy Rule permits a covered entity to reasonably rely on another covered entity's request for protected health information as the minimum necessary for the intended disclosure. Therefore, the Rule allows a provider to assume that the health plan's request for health information is compliant with the minimum necessary standard.
8. Does the Privacy Rule require me to disclose information to law enforcement authorities? The Privacy Rule does not require you to disclose protected health information except in two circumstances: (1) to the individual who is the subject of the information; and (2) to the HHS to assist in an investigation. The Rule permits you to disclose protected health information to law enforcement authorities without authorization in response to a court order, warrant, subpoena, summons, or administrative request. You may also disclose certain protected health information for law enforcement purposes, such as locating suspects, witnesses, and missing persons, and identifying victims.
9. Can I disclose information about patients who are deceased? In general, you must protect information about deceased patients in the same manner and to the same extent as information about living patients. Exceptions to this rule are (1) you may disclose protected health information about deceased patients to coroners, medical examiners, funeral directors, and law enforcement officials as necessary to carry out their duties; and (2) you may use or disclose protected health information about deceased individuals for research purposes if you obtain a representation from the researcher that the information will be used solely for research.
10. My patients like to e-mail me with questions about their condition. How does the Privacy Rule affect my ability to communicate with them by e-mail? Do I have to keep an accounting of these disclosures? The Privacy Rule does not affect your ability to communicate with your patients, whether by e-mail, phone, or in person. These discussions would most likely fall within the definition of "treatment" and would not require any accounting for purposes of the Privacy Rule. However, another HIPAA regulation, which addresses security and electronic signatures, will require you to have certain security standards in place if you transmit protected health information electronically. (The HHS proposed the security regulation in August 1998 but has not finalized it. ASCO will provide additional information about the security regulation when it is final.) Providers may want to consider asking their patients to sign a separate statement indicating their desire to engage in e-mail communications and acknowledging the risk associated with such communications.