Lately I’ve run into questions and discussions about patient advocates or navigators and HIPAA, so it seems a good topic for today’s post.
I’ll begin with a disclaimer: there’s no one on this green planet that can give you ALL the answers as they relate to HIPAA! No, not even the lawyers who live it every day. It’s complex and daunting. But there are some basics that might be useful.
Here are the basics that can be useful to advocates:
1. It’s HIPAA, not HIPPA. HIPAA stands for the Health Insurance Portability Accountability Act. Notice, it doesn’t say anything about information (which is what it’s really about), nor does it say anything about patients.
2. HIPAA was originally intended to protect patient information from falling into the “wrong” hands electronically. The laws were passed in the 1990s as fax machines were being used more and more and the Internet was beginning to be used to share personal information. HIPAA was intended to address any sort of electronic sharing of records.
3. HIPAA laws and penalties apply only to “covered entities.” Covered entities are health insurers and payers, health care providers, and organizations that transfer that information to covered entities electronically
NOT included in this list is patient advocates or navigators. Most of us are not providers – we are facilitators and supporters, but we are not providing medical advice. Now – a disclaimer – it’s my opinion that advocates are not covered entities. (My opinion and a dollar might buy you a cuppa coffee.) As far as I know, no one who has any legal standing has actually ever ruled on it. And if you are a physician-advocate or a nurse-advocate, you may see the HIPAA world differently.
Truth is, it doesn’t matter whether advocates are covered entities or not. See below: “What is important from our advocate point of view.”
4. There are slews of myths about HIPAA – things that everyone assumes to be true, but aren’t true. Included are things like the notion that family members can’t get a hold of medical records. Well – that may or may not be true, depending on circumstances and signatures. Here is a list of the myths about HIPAA from a patient’s point of view.
Here’s the problem with the myths: if a doctor thinks she is not legally able to share information, she won’t share it – whether it would be legal to do so or not. And you can’t blame her because she IS a covered entity and she COULD get in hot water for sharing if she does so with the wrong person or entity. It’s all about CYA and she might decide that giving you a patient’s records could uncover her A. You’ll have to prove differently to her. (See links below for resources.)
5. There are dozens of types of organizations that can get a hold of a patient’s medical information, legally, that we don’t think about. And there’s all kinds of squirrely stuff going on with that information, legally and illegally.
A. Even though most of us are not covered entities, it’s still vitally important that we take very good care of patient records, including sharing them or not sharing them with anyone else beside our patient-clients. You’ll never want to be in a position of being responsible for records falling into the ‘wrong’ hands. That definition of ‘wrong’ is whomever your patient thinks is wrong.
B. It’s good practice to get a signature from your patient for two cases. The first case is so you can have access to your patients’ records, meaning, he or she provides a signature on a form you can give his or her provider giving you permission. The second case is to get your patient-client’s permission to share his or her records with someone else – an adult child, a home health worker – anyone who you and your client deem would need to see them. Even if you won’t be the one directly supplying those records, you may want to be sure everyone understands that permission has been given. It’s a bit of CYA (covering your OWN backside) – but takes only a minute and shows that you are serious about protecting those records.
If you are a member of the Alliance of Professional Health Advocates (Premium or PACE) then you have access to sample HIPAA forms you can use with your clients. (Log in to your membership homepage, then do a search at the top of the page for HIPAA forms.)
C. It’s good marketing practice to make sure your patient-client understands that even though you are (probably) not a covered entity, you will be vigilant about his or her records. You can state that you are HIPAA compliant. You can make that statement on your website and print it in a brochure. There’s nothing that says you have to be a covered entity to make that claim and follow through. It sounds very professional, very knowledgeable, and helps your potential client know that you take these things seriously, too.
• If you are a licensed healthcare professional who provides medical advice to your clients, you might want to clarify whether you would be a covered entity. You can do that here.
Updated March 2017