Must I obtain a signed HIPAA authorization to post a patient testimonial containing protected health information on our practice website?
Yes. An authorization gives covered health care providers permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations. A valid authorization must include a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the provider may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed.
What if my IT company refuses to sign a Business Associate Agreement (BAA), stating the service contract I signed is sufficient to cover confidentiality?
A covered health care provider must not share protected health information with a third party without obtaining a signed Business Associate Agreement. A business service contract generally does not include the same required components that a BAA contains. Ultimately, your practice is responsible for protecting your patient’s PHI and without a signed BAA you have no assurances that your IT company has put the same safeguards in place to protect your patient’s PHI that you have. If you are unable to obtain a BAA, the contract with your IT company should be terminated.
Can family members of a deceased individual obtain the deceased individual's protected health information that is relevant to their own health care?
A covered health care provider may disclose a decedent’s protected health information, without authorization, to the provider treating the surviving relative. In addition, it is permissible for a covered health care provider to disclose certain PHI about a decedent to family members of the decedent, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the provider. The information that may be disclosed is that which is relevant to the person’s involvement in the decedent’s care or payment of care. Lastly, an authorized executor or administrator of the deceased individual or his/her estate is legally permitted to access the decedent’s PHI.
How should I properly dispose of paper and electronic protected health information?
Examples of proper disposal methods may include, but are not limited to:
For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).