Online Fax Hipaa
online fax hipaa
Is this a HIPAA violation?
I work in a Doctor’s office, and recently had a confrontation with a new patient. The patient demanded his results of cancer studies be faxed to a home fax number when he calls and requests via phone. I did not feel comfortable doing this, as I need a signed consent. If someone were to call and request their records be faxed, there is no way for me to confirm the caller’s identity. The patient said all his other doctor’s do it, and my manager told me it was okay. I still do not feel comfortable, but have not found any pertinent information online. If I had faxed this information, would I have been violating HIPAA? And where can I find this specifically in writing (that does not cost an arm and a leg)? After my manager told me it was okay, I told her I would feel more comfortable investigating this type of situation before faxing patients’ information to who knows where. I want to do the right thing. Please help me find this in writing!
Authorized Uses and Disclosures
Authorization. A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.44 A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances.45
An authorization must be written in specific terms. It may allow use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party. Examples of disclosures that would require an individual’s authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes.
All authorizations must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data. The Privacy Rule contains transition provisions applicable to authorizations and other express legal permissions obtained prior to April 14, 2003.
Disclosures and Requests for Disclosures. Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures, or requests for disclosures, that limits the protected health information disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. For non-routine, non-recurring disclosures, or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually in accordance with the established criteria.
Document Imaging by Confidential Records Management, Inc., www.crmi-online.com
