HIPAA is the Health Insurance Portability and Accountability Act of 2003 (Privacy) and 2005 (Security). This act includes the HIPAA privacy and security rules created to establish national standards to protect individuals' medical records and other protected health information (PHI).
Per the HIPAA Administrative Simplification Regulations (45 CFR §164.404), this letter serves as substitute individual notification for patients who may be included in a recent incident involving a physician at our Neurosurgery Arkansas clinic. If you think you may have been affected by this breach, please call 1-800-568-8526 and ask for Dana Williams, Privacy Officer. Thank you.
What Are My Rights Under HIPAA?
A series of short educational videos is available at HealthIT.gov to help individuals better understand their right to see and get their health information and to have that information sent to others of their choosing (including family members, caregivers, or a mobile device application).
You have the right to inspect and obtain a copy of your protected health information.
This means that you may inspect and obtain a copy of protected health information about you that is contained in a designated record set for as long as we maintain your protected health information. A designated record set contains medical and billing records and any other records that we use in making decisions about you. You may request the records be provided in paper or electronic format. You may be charged a fee for the cost of copying, mailing, or supplies associated with your request.
Under federal and state law, however, you may be denied access to inspect or obtain a copy. Depending on the circumstances, the decision to deny access may be reviewable.
Please contact the medical records department at 501-202-1914 if you have any questions about access to your medical record.
You have the right to request a restriction of your protected health information.
This means that you may ask us not to use or disclose any part of your protected health information for the purposes of treatment, payment, or healthcare operations. You may request that any part of your protected health information not be disclosed to family members or friends who may be involved in your care. Your request must state the specific restriction requested and to whom this restriction applies. You may also request restriction of PHI to a health plan with respect to health care for which you have paid for in full out of pocket. The request and payment must occur in writing in advance of the services being provided.
The hospital/physician is not required to agree to the restriction that you request, except in the case of a requested restriction of PHI to a health plan for purposes of payment or healthcare operations with respect to health care for which you have paid for in full out of pocket. If the hospital/physician believes that it is in your best interest to permit use and disclosure of your protected health information, it will not be restricted. With this in mind, please discuss any restriction you wish to request with your physician.
You have the right to request to receive confidential communication from us by alternative means or at an alternative location.
We will accommodate reasonable requests. We may also condition this accommodation by asking you for information as to how payment will be handled or specification of any alternative address or other method of contact. We will not request an explanation from you as to the basis for the request. Please make this request in writing to the privacy contact listed below.
You have the right to request an amendment to your protected health information.
This means that you may request an amendment of protected health information about you in a designated record set for as long as we maintain the information. In certain cases, we may deny your request for an amendment. If we deny your request, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy. Please contact the appropriate medical record department
if you have questions about amending your medical record.
You have the right to receive an accounting of certain disclosures we have made, if any, of your protected health information.
This right applies to disclosures made for purposes outside those for treatment, payment, and healthcare operations. You have the right to receive specific information regarding non routine disclosures that occurred after April 14, 2003. We must respond within sixty (60) days. You may request a shorter timeframe. You are entitled to receive one (1) free accounting each year. There will be a fee for any additional accounting requests during the year. The right to receive this information is subject to certain exceptions, restrictions, and limitations.
You have the right to obtain a copy of this notice from us.
Upon request, you may receive an additional paper or electronic copy of this notice from us.
You have the right to file a complaint.
If you believe your privacy rights have been violated by Baptist Health, you may file a complaint with us by contacting the Baptist Health Privacy Officer at 501-202-6776. You may also file a complaint with the Secretary of Health and Human Services. We will not retaliate against you for filing a complaint. We will not require you to waive the right to file a complaint with HHS as a condition to receive treatment from us.
You have the right to receive a notice following a breach of your unsecured PHI.
This notice will be provided by mail or through the media.
Those required to comply with these standards set by Congress include health plans, healthcare clearinghouses and healthcare providers who conduct certain financial and administrative transactions electronically. These entities (collectively called "covered entities") are bound by the standards even if they contract with others (called "business associates") to perform some of their essential functions. In compliance with these regulations, Baptist Health:
- Provides information to patients about their privacy rights and how their information can be used.
- Has privacy/security policies and procedures for its practice or hospital.
- Trains employees so that they understand the policies and procedures.
- Employs a Privacy Officer and a Chief Information Security Officer to be responsible for seeing that the policies and procedures are adopted and followed.
- Secures patient records containing PHI so that the records are not readily available to those who do not need them.
The American Recovery and Reinvestment Act of 2009 contains a set of provisions known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act). This Act modifies the existing HIPAA privacy and security requirements by providing for the following:
- Increases civil monetary penalties for HIPAA violations.
- Requires business associates to comply with the HIPAA Security Rules.
- Defines what constitutes a breach and the notification requirements for certain breaches to be reported to patients, the media and the Office of Civil Rights.
- Imposes restrictions on certain types of disclosures (e.g. sale, marketing of PHI).
To report a privacy/security violation or to request additional information, please contact the Privacy Office at (501) 202-6776 or email email@example.com.
Privacy Complaint Form (PDF)
Notice of Privacy Practices (PDF)
AVISO DE PRÁCTICAS DE PRIVACIDAD (PDF)
What is Protected Health Information (PHI) (Otherwise known as "individually identifiable health information")?
Any and all health information records that identify the patient; or there is a reasonable basis to believe the information can be used to identify the patient.
How are covered entities (like our healthcare system) expected to determine what is the minimum necessary information that can be used, disclosed or requested for a particular purpose?
The Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of and requests for PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard is intended to make covered entities evaluate and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. It is intended to reflect and be consistent with, not override, professional judgment and standards.
How is minimum necessary defined?
The least amount of PHI required to satisfy a request. For example, records compiled in response to a PHI request for a specific date of service should not include treatment records for other dates of service.
Do the minimum necessary requirements prohibit covered entities from maintaining patient medical charts at bedside, require that covered entities shred empty prescription vials or require that X-ray light boards be isolated?
No. The minimum necessary standards do not require that covered entities take any of these specific measures. Covered entities must, in accordance with other provisions of the Privacy Rule, take reasonable precautions to prevent inadvertent or unnecessary disclosures.
What is an Authorization?
Authorization permits a covered entity to use and disclose only specific PHI to specified individuals for specified purposes that are almost always for purposes other than treatment, payment or healthcare operations.
What information can a hospital provide if one inquires about a patient by name?
Information about the patient's general condition and location of an inpatient, outpatient or emergency department patient may be released only if the inquiry specifically identifies the patient by name. No information may be given if a request does not include a specific patient's name or if the patient requests that the information not be released.
If healthcare providers engage in confidential conversations with other providers or with patients, have they violated the rule if there is a possibility that they could be overheard?
The Privacy Rule is not intended to prohibit providers from talking to other providers and to their patients. We would consider the following practices to be permissible, if reasonable precautions are taken to minimize the chance of inadvertent disclosures to others who may be nearby (such as using lowered voices, talking apart):
- Healthcare staff may orally coordinate services at hospital nursing stations.
- Nurses or other healthcare professionals may discuss a patient's condition over the phone with the patient, a provider or a family member.
- A healthcare professional may discuss lab test results with a patient or other provider in a joint treatment area.
- Healthcare professionals may discuss a patient's condition during training rounds in an academic or training institution.
Does the Privacy Rule require hospitals and doctors' offices to be retrofitted, to provide private rooms and soundproof walls to avoid any possibility that a conversation is overheard?
No. The Privacy Rule does not require structural changes be made such as creating private rooms, soundproofing rooms, or the encryption of telephone systems or wireless or other emergency medical radio communications that can be intercepted by scanners.
Can a physician's office or hospital FAX patient medical information to another physician's office or hospital?
The Privacy Rule permits the disclosure of PHI to another healthcare provider for treatment purposes. This can be done by fax or by other means. Covered entities must have in place reasonable and appropriate administrative, technical and physical safeguards to protect the privacy of PHI that is disclosed using a fax machine.
Can we still use the sign-out/in sheets at the desk to track patient locations off the unit?
Yes, so long as the information disclosed is appropriately limited. For example, a sign-in sheet may not display medical information (such as, the medical problem for which the patient is being seen) that is not necessary for the purpose of signing in.
How will this affect students having access to patient information during their training?
The Privacy Rule provides for "conducting training programs in which students, trainees or practitioners in areas of healthcare learn under supervision to practice or improve their skills as healthcare providers." Baptist Health’s policies and procedures will continue to permit medical trainees access to patients' medical information, including entire medical records.
Are hospitals able to inform the clergy about parishioners in the hospital?
Yes. The Privacy Rule allows this communication to occur, as long as the patient has been informed of this use and disclosure, and does not object. The Privacy Rule provides that a hospital or other covered healthcare provider may maintain in a directory the following information about that individual:
- the individual's name;
- location in the facility;
- health condition expressed in general terms; and
- religious affiliation. The facility may disclose this directory information to members of the clergy. For example, a hospital may disclose the names of Methodist patients to a Methodist minister unless a patient has restricted such disclosure.
A hospital customarily displays patients' names next to the door of the hospital rooms that they occupy. Will the Privacy Rule allow the hospital to continue this practice?
Disclosure of patient names by posting on the wall is permitted by the Privacy Rule, if the use or disclosure is for treatment (i.e., to ensure that patient care is provided to the correct individual) or healthcare operations purposes (i.e., as a service for patients and their families).
Can physician offices use patient sign-in sheets or call out the names of patients in their waiting rooms?
Yes. Covered entities such as physician offices may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The Privacy Rule explicitly permits certain "incidental disclosures" that occur as a by-product of an otherwise permitted disclosure.
For additional information or questions, please contact Dana Williams, Privacy Officer, at (501) 202-6776.