Frequently Asked Questions About HIPAA

Penalties

Q: Can patients sue healthcare providers for not complying with the HIPAA Privacy Regulations?

A: HIPAA Privacy Regulations do not give people the right to sue. The patient does have the right to file a complaint with the Office of Civil Rights (OCR), which has been delegated by the Department of Health & Human Services (DHHS).

The OCR then makes a determination of the need to investigate the complaint. If the complaint is determined to have merit, DHHS has the authority to impose civil and monetary fines on organizations or to impose criminal sanctions if applicable.

However patients do have the right to bring civil actions under state law. HIPAA also establishes a “community standard” for protecting patient information.

Access to Records

Q: Is it legal/appropriate for me to access my own records in our hospital computer systems?

A: As a patient you do have the right to request access to your record and to obtain a copy of it. However, the proper channels to request to review or obtain a copy of your record is through the UC Irvine Health Medical Records department, just as for all other patients. Access levels that you may have to UC Irvine Health computer systems is for your work-related activities only.

Also, not all of your medical information may be accessible electronically. There may be additional information in your paper record that is not online.

Other patients and other staff members do not have the same level of access as well, and other staff have to go to medical records to obtain their information.

Lab and radiology test results should be communicated to you by your physician. The interpretation of the results is his/her responsibility.

Access to Records

Q: My boyfriend is also a patient here. With his knowledge and verbal authorization, may I access his information or do I need written authorization to do so? If so, will a letter suffice? Or is there an official form? 

A: If it is not part of your job responsibility to provide information or copies of records to patients, you should not be doing so for your boyfriend, other friends or family. The appropriate way for your boyfriend to obtain information is through the Medical Records department. Also often people do not remember granting verbal permission to others to access their information.

If providing information or copies of records to patients is part of your job duties, your boyfriend should sign a written authorization to give you this access. The official authorization form is available on the UC Irvine Compliance Website under HIPAA.

Access Violations

Q: Is it a violation to look up the records of my coworker or family member who has been admitted to the hospital?

A: Yes it is a violation of HIPAA to access information on friends, colleagues, etc. who have been admitted to the hospital unless you are directly involved in providing treatment to the patient as part of your job responsibilities.

Electronic accesses to patient information is tracked and any accesses to patient information that is not related to one’s job responsibilities can result in disciplinary action up to and including termination.

Access to Systems

Q: I have access to the computer system to schedule patient appointments. Is it appropriate for me to schedule an appointment for myself in the system?

A: You should not schedule appointments for yourself or your family members. This would be taking advantage of your job position in a way that other patients cannot.

Just as you expect the hospital to separate its role as your employer from its role as your healthcare provider and to respect your privacy as a patient, you must separate the responsibility you have as an employee from those you have as a patient. You must request appointments as any other patient would.

Authorizations

Q: Where can I obtain a copy of the "official" form to authorize release of records?

A: The official UC Irvine Health Authorization for Release of Health Information is available and downloadable from the Compliance website under HIPAA.

Patient in Hospital

Q: Often family members will ask hospital staff members if a particular patient is present in the hospital. How should these requests be handled?

A: Unless the patient is currently on your unit, the family member should be directed to the Security/Patient Relations, which has the most recent updated information on patients who have opted out of being listed in the facility directory, and for whom we cannot provide any information.

Text Messaging

Q: Is it appropriate to use text messaging on cellular phones to relay patient data between caregivers (e.g., a nurse to physician)?

A. No. Unless the sending and receiving phones have encryption capabilities, such data are open to interception, corruption and inappropriate disclosure. All communications of Patient Health Information (PHI), whether electronic or non-electronic must be kept secure while in transit and at both the sending and receiving ends.

At the very least, you must encrypt PHI that is transmitted over an open network, such as the Internet or non-secure wireless connection. This also holds true for text messaging with cellular phones.

Paging System

Q: Can we use patient names in the pages between staff members?

A: No, the paging system is not encrypted and messages are not secure. Use the minimum amount of information necessary when paging.

For example, to page a physician with a patient’s critical lab values, the paging message should read, "Have critical lab value for you. Please call xxxx."