The 3 biggest HIPAA myths debunked

As a healthcare consultant, it is not unusual to be asked about HIPAA regulations on a weekly basis. Three questions come up regularly and seem to cause the most confusion when discussing HIPAA. I call them the Three Big HIPAA Myths – you can’t place medical charts on exam room doors, you can’t use sign-in sheets, and you can’t leave messages on patients’ voice mail or answering machines.

Here, then are the answers, straight from the Office for Civil Rights, which enforces:

  • the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information;
  • the HIPAA Security Rule, which sets national standards for the security of electronic protected health information;
  • the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information;
  • and the confidentiality provisions of the patient safety rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

Question 1: A clinic customarily places patient charts in the plastic box outside an exam room. It does not want the record left unattended with the patient, and physicians want the record close by for fast review right before they walk into the exam room. Does the HIPAA privacy rule allow the clinic to continue this practice?

Answer:Yes, the privacy rule permits this practice as long as the clinic takes reasonable and appropriate measures to protect the patients privacy. The physician or other health care professionals use the patient charts for treatment purposes. Incidental disclosures to others that might occur as a result of the charts being left in the box are permitted, if the minimum necessary and reasonable safeguards requirements are met.

Examples of measures that could be reasonable and appropriate to safeguard the patient chart in such a situation would be limiting access to certain areas, ensuring that the area is supervised, escorting non-employees in the area, or placing the patient chart in the box with the front cover facing the wall rather than having protected health information about the patient visible to anyone who walks by. Each covered entity must evaluate what measures are reasonable and appropriate in its environment.

Question 2: May physician offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?

Answer: Yes. Covered entities, such as physicians offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA privacy rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician).

Question 3: May physician’s offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes?

Answer: Yes. The HIPAA privacy rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individuals privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.

A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The privacy rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individuals care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed.

In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances.

Mary Pat Whaley is a physician advocate and consultant who blogs at Manage My Practice.

Comments are moderated before they are published. Please read the comment policy.

  • Medical Revolt

    Thank you for posting some of this. I have been so frustrated by the misunderstanding of HIPPA. I cannot tell you how many times I was told in residency and in practice not to print out my notes and give them to the patient as it was a violation of HIPPA. As if HIPPA was ever meant to protent patients from their own health information.

    • Deb


      • Medical Revolt

        Me know much HIPPA. Me smart. I fixed it. Thank you. (red face)

        • drgh

          No worries Medical Revolt. Love your name BTW. it is a meaningless piece of legislation with some P’s and A’s.

  • drgh

    The problem is, what about the non covered entities?

    • Aaron

      Non-covered entities are not bound by HIPPA law, only by their state practice act, professional association and/or personal moral code.

      HIPPA is primarily to protect the transmission of private patient electronic information and patients rights for “portability” or their insurance plan

  • Aaron

    What a great blog post! Unfortunately most healthcare professionals, even administrators, have a hard time fully understanding the direct and everyday impact of HIPPA. This is in no small part an effext of the language used to craft tge law and rules. Thanks for breaking it down so more folks understand the laws and rules.

  • Kaya5255

    Healthcare provider’s offices seem to have a difficult time comprehending that HIPAA allows them to address consumers as “Mrs. Smith, Mr. Jones, Dr. Black”. Nothing irritates me more than having a clerk or medical assistant address me by my given name. I am not a friend! I am a paying customer!! It is common courtsey to do so.
    I have come to the conclusion that by addressing consumers by their given name and referring to the provider as “Doctor”, it reinforces a subordinate posture.
    Consumers are not second class citizens and should demand that all providers address them properly. Respect goes both ways.
    Physicians are not gods, although some of them think they are!
    It’s time for consumers to take them down a peg or two!

    • drgh

      It works both ways. I have patients trying to make appts that call me by my first name as well.

      • Kaya5255

        Do you, by any chance, refer to your customers as “Joe” or “Mary”? The people who address you by your given name may be trying to make a point.
        Might I suggest that you address them as “Mr” or “Mrs” and if they address you as “George”, you may politely say, “I’d prefer that you call me Doctor Henry. Thank you.”
        As both you and I said, respect goes two ways!!

        • drll

          I was taught to always address people by their last name-mr, ms. etc. the people that call for appts i have never met or spoken with before but they often call me by my first name.

  • southerndoc1

    Number one myth:
    HIPAA was designed and enacted to protect patients.

    • Guest

      HIPAA was designed to employ bobbleheads with double digit IQs who could find meaning in their lives “protecting patients.”

  • meyati

    I was talking to a nurse about this. She complained that she didn’t even know that a patient was being discharged from the hospital-the reason -HIPAA-

  • DJ Jaffe

    HIPAA Handcuffs are a giant impediment to getting appropriate treatment for people with serious mental illness.

    PROBLEMS • When a mentally ill child (over 18) goes missing families can’t find him because hospitals and shelters can’t disclose. • When institutions release mentally ill to a families care, they can’t inform parents first • When the child is given meds or a follow up appointment the parents can’t be told and therefore can’t ensure they get the meds or get to the next appointment.

    As a result of HIPAA handcuffs, families of the mentally ill are given the responsibility to provide care for their loved ones are not given the information or authority to do it.


    Treatment providers should have complete discretion to reveal to family members, caregivers, law enforcement or potential victims any clinical information that is necessary or helpful in managing that patient’s care in a community to which the patient belongs.

    HIPAA should include “safe harbor” provisions. The provisions should insulate a person or organization from liability (or loss of funding) for

    • making a disclosure with a good faith belief that the disclosure was necessary to protect the health, safety, or welfare of the person involved or members of the general public.

    Remove the HIPAA rule that prohibits treatment providers from releasing threatening information to potential victims or to law enforcement unless the threat is both “serious and imminent.”

    • Treatment providers should have discretion to communicate freely with family members and care givers about how to manage their relationships to a seriously ill friend or family member — regardless of whether threatening behavior is in the picture.

    o The lack of this rule impeded those who treated Seung Hui Cho before Virginia Tech. Because Cho was an adult, HIPAA prevented providers from communicating to his parents without a release from Cho. Had they called the parents, they would have learned of his extensive history of mental illness. Without that, they assumed wrongly that this was a recent, temporary and perhaps non-serious psychotic break. They parents said that if they had known what was going on at college, they would have brought him to treatment by those who knew his history. No one, including their son, was reporting any difficulties to them, they assumed Cho had recovered and was doing fine.

    HIPAA rules for front line providers should be short, simple and memorable. They should not require three pages of size 10 font just to print turgid extracts containing dozens of impenetrable cross references.

    While the right to privacy is important, it must be balanced with society’s obligation to provide effective care to the mentally ill in the least restrictive setting. Current HIPAA rules prevent well meaning providers from rendering effective care and, worse still, create constant, real and present dangers to our society.

Most Popular