Some of you have expressed concern that the example in our HIPAA e-mail
was far-fetched and only a marketing ploy. Below, please see our reply
to one such posting and the reasons why certain messages on this
listserv could cause HIPAA compliance problems. If you are still
concerned, please do not hesitate to contact us directly. — AOPA
You stated, “…you can discuss all the “PHI” you want, except the parts
that are readily identifiable to a particular person (e.g. SSN, names,
address, phone# etc.).”
Your statement is not accurate. Protected health information (PHI) does
not have to directly identify an individual. If the information is
specific enough that you can infer the identity of the individual, it is
considered PHI and subject to HIPAA regulations.
In the case that we used, “Patient is a 2 year old child with a disorder
that causes her limbs to be 3 times the size of a normal child…,” the
information is specific enough that a person familiar with the facility
or practitioner can easily identify the patient.
The Privacy rule (section 164.506(c)) states that a HIPAA covered entity
may use or disclose PHI for its own treatment, payment, or health care
operations, or for the treatment activities of any health care provider.
Asking a question on a very public listserv that is accessed by non
health care providers is not going to fit within either of those
permissible disclosures. This is akin to standing in a public hallway
in a hospital and shouting out to a crowd that you want to know how to
treat your 2 year old patient that has a disorder that causes her limbs
to be 3 times the size of a normal child.
Also, the HIPAA Security rule is going to require that you keep email
communications containing PHI secure. A listserv is not a secure forum
in which to discuss PHI.
It is part of AOPA’s mission to provide education concerning HIPAA
regulations. While you are not at risk for violating HIPAA as an
individual employee, by your actions the facility that employs you could
face civil and monetary penalties for violating HIPAA regulations. This
is something AOPA is striving to prevent.
There are ways to ask a question on the listserv about treating a
specific condition that do not violate the HIPAA Privacy or Security
rules. We are pleased to have your facility as an AOPA member and are
happy to discuss these methods with you. You might also consider
attending the AOPA HIPAA Seminar on May 2.
Manager, Regulatory Affairs
American Orthotic & Prosthetic Association T 571.431.0876
330 John Carlyle St, Ste 200 F 571.431.0899
Alexandria, VA 22314 www.aopanet.org
AOPA Knows the Business of O&P. Become a member today!