FALSE!  The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of the rule exempting treatment disclosures from the minimum necessary standard are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients.  We also understand that overheard communications are unavoidable.   We would consider the following and other similar kinds of conversations to be permissible, if reasonable precautions are taken to minimize the chance of inadvertent disclosures to others who may be nearby (such as using lowered voices): *Nurses or other health care professionals may discuss a patient’s condition over the phone with the patient, a provider, or a family member. *A health care professional may discuss lab test results with a patient or other provider in a joint treatment area or a semi privacy hospital room. In March, the Secretary proposed new regulatory language to reinforce and clarify that these and similar inadvertent disclosures are permissible so long as reasonable precautions, taking into account the situation an the nature of the covered entity,  are taken.

FALSE! The rule does not require a physician or any other covered entity to send medical information to the government for a government database or similar operation.  This rule does not require or allow any new government access to medical information, with one exception: the rule does give the HHS Office for Civil Rights the authority to investigate complaints and to otherwise ensure that covered entities comply with the rule.  (OCR has been assigned the responsibility of enforcing the Privacy Rule.)  The only other disclosure of health information required by the rule is disclosure to the individual who is the subject of the record, at her request.  All other disclosures of health information covered by the Rule are disclosures that are permitted in certain circumstances and subject to certain restrictions, but are not required.

TRUE!  The Privacy Rule does not permit covered entities, including pharmacists, to use identifiable health information for treatment, payment, or health care operations without prior patient consent. It poses a problem for first-time users of a particular pharmacy or pharmacy chain, as well as problems relating to access to medical care.  The Department of Health and Human Services did not intend the rule to interfere with a pharmacist’s normal activities in this way. The Secretary is aware of this problem and, in March, proposed new regulatory language to fix this problem.  The proposal would eliminate the requirement that direct treatment providers obtain consent to use or disclose protected health information for purposes of treatment, payment, or health care operations (while requiring permission before individually identifiable health information can be used or disclosed for other purposes) while strengthening the requirement for the provision of a notice of a covered entity’s privacy practices.

FALSE! The Rule allows a pharmacist to use professional judgment and experience with common practice to make reasonable inferences of the patient’s best interest in allowing a person, other than the patient, to pick up a prescription.  For example, the fact that a relative or friend arrives at a pharmacy and asks to pick up a specific prescription for an individual effectively verifies that he or she is involved in the individual's care, and the rule allows the pharmacist to give the filled prescription to the relative or friend.  The individual does not need to provide the pharmacist with the names of such persons in advance.

FALSE!  Covered entities are not required to monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract.  If the covered entity becomes aware of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligations under its contract, the covered entity must take “reasonable steps” to cure the breach or to end the violation.  This depends on the actual knowledge of the covered entity; there is no obligation to monitor or investigate. The required reasonable steps will vary with the circumstances and nature of the business relationship.  If such steps are not successful, the covered entity must terminate the contract, if feasible.  The rule also provides for circumstances in which termination is not feasible, for example, where there are no other viable business alternatives for the covered entity.  In such circumstances where termination is not feasible, the covered entity must report the problem to the Department.  Only if the covered entity fails to take the kinds of steps described above would it be considered to be out of compliance with the requirements of the rule.

FALSE!  The Department did not intend to prohibit the use of sign-in sheets or the practice of calling patients’ names in the waiting room when it is time for their appointments and clarified this in the July 6 guidance.   The Secretary has proposed modifications to make clear that sign-in sheets and similar practices will not violate the Rule.

TRUE! The Privacy Rule do not prohibit use or disclosure of, or requests for an entire medical record where appropriate.  An employee of a covered entity may use an entire medical record, without a case-by-case justification, if the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes.  The policies and procedures would identify those persons or classes of person in the workforce that need to see the entire medical record and the conditions, if any, that are appropriate for such access.  No justification is needed in those instances where the minimum necessary standard does not apply, such as disclosures to or requests by a health care provider for treatment or disclosures to the individual. The Privacy Rule provides the covered entity with substantial discretion as to how to implement the minimum necessary standard, and appropriately and reasonably limit access to and the use of identifiable health information within the covered entity.  The rule recognizes that the covered entity is in the best position to know and determine who in its workforce needs access to personal health information to perform their jobs.  Therefore, the covered entity can develop role-based access policies that allow its health care providers and other employees, as appropriate, access to patient information, including entire medical records, for treatment purposes.

FALSE!  The Privacy Rule requirements do not require any particular technologies or types of technologies.  They are flexible and scalable to the covered entity’s information needs and information systems.

FALSE! The Rule does not prohibit faxing of individually identifiable health information.  Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.  “Reasonable safeguards” mean that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the rule.  For example, a fax machine on which a provider or plan routinely receives identifiable health information probably should not be placed in a public location that would allow inappropriate access to the information (e.g., in the waiting room or public hallway).

TRUE! A disclosure of identifiable health information that is required by another law is automatically permitted by the Privacy Rule.  There is a special provision permitting such disclosures, so no one can get ‘caught in the middle.’  The Privacy Rule generally would require a covered entity to provide an accounting of the disclosure to the patient upon request.

FALSE! This law delays compliance with the Transaction and Code Set standards for covered entities that file a compliance plan.  This law does not apply to the Privacy Rule.  The compliance date for the Privacy Rule is still April 14, 2003.  (April 14, 2004 for small health plans).

FALSE! The Rule permits such disclosures under specified circumstances, but does not require them.  In some cases, like research, an individual’s authorization may be required.  However, even when an authorization is not required and a disclosure is permitted by the Rule, there may be limitations or other requirements on such disclosures.  In all cases where an individual has not authorized a requested disclosure, a doctor should use his own professional and ethical judgment about when and what information to disclose in response to such requests.  A doctor is not required under the Rule to disclose health information for research or law enforcement.