FAQ's About HIPAA Privacy Standards: Baptist Health - Arkansas hospitals, medical care and health information.

Find a Doctor

Make an Appointment

Local News & Events

Health Info & Tools

Classes/Screenings/
Support Groups

For Patients & Visitors

Billing & Insurance

Technology &
Procedures

Jobs & Volunteering

Baptist Health Schools
Little Rock

Health Information

Baby Photos		Make a Donation

Online Store & Gift Shop		E-Mail A Patient

- En Español

- For Doctors

- For Employees

- Site Map

About Baptist Health

- Success Stories
- Mission Statement
- Corporate Compliance
- Pastoral Care
- Privacy Statement
- Billing Questions
- Financial Aid
- HIPAA Privacy
- JCAHO Notice
- Visiting Hours
- Community Programs
- Bolo Bash 2009
- Contact Us

TEXT SIZE: -A | A | +A

Q: What is Protected Health Information (PHI) (Otherwise known as "individually identifiable health information")?

A: Any and all health information records that identify the patient; or there is a reasonable basis to believe the information can be used to identify the patient.

Q: How are covered entities (like our healthcare system) expected to determine what is the minimum necessary information that can be used, disclosed or requested for a particular purpose?

A: The Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of and requests for PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard is intended to make covered entities evaluate and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. It is intended to reflect and be consistent with, not override, professional judgment and standards.

Q: How is minimum necessary defined?

A: The least amount of PHI required to satisfy a request. For example, records compiled in response to a PHI request for a specific date of service should not include treatment records for other dates of service.

Q: Do the minimum necessary requirements prohibit covered entities from maintaining patient medical charts at bedside, require that covered entities shred empty prescription vials or require that X-ray light boards be isolated?

A: No. The minimum necessary standards do not require that covered entities take any of these specific measures. Covered entities must, in accordance with other provisions of the Privacy Rule, take reasonable precautions to prevent inadvertent or unnecessary disclosures.

Q: What is an Authorization?

A: Authorization permits a covered entity to use and disclose only specific PHI to specified individuals for specified purposes that are almost always for purposes other than treatment, payment or healthcare operations.

Q: What information can a hospital provide if one inquires about a patient by name?

A: Information about the patient's general condition and location of an inpatient, outpatient or emergency department patient may be released only if the inquiry specifically identifies the patient by name. No information may be given if a request does not include a specific patient's name or if the patient requests that the information not be released.

Q: If healthcare providers engage in confidential conversations with other providers or with patients, have they violated the rule if there is a possibility that they could be overheard?

A: The Privacy Rule is not intended to prohibit providers from talking to other providers and to their patients. We would consider the following practices to be permissible, if reasonable precautions are taken to minimize the chance of inadvertent disclosures to others who may be nearby (such as using lowered voices, talking apart):

· Healthcare staff may orally coordinate services at hospital nursing stations.
· Nurses or other healthcare professionals may discuss a patient's condition over the phone with the patient, a provider or a family member.
· A healthcare professional may discuss lab test results with a patient or other provider in a joint treatment area.
· Healthcare professionals may discuss a patient's condition during training rounds in an academic or training institution.

Q: Does the Privacy Rule require hospitals and doctors' offices to be retrofitted, to provide private rooms and soundproof walls to avoid any possibility that a conversation is overheard?

A: No. The Privacy Rule does not require structural changes be made such as creating private rooms, soundproofing rooms, or the encryption of telephone systems or wireless or other emergency medical radio communications that can be intercepted by scanners.

Q: Can a physician's office or hospital FAX patient medical information to another physician's office or hospital?

A: The Privacy Rule permits the disclosure of PHI to another healthcare provider for treatment purposes. This can be done by fax or by other means. Covered entities must have in place reasonable and appropriate administrative, technical and physical safeguards to protect the privacy of PHI that is disclosed using a fax machine.

Q: Can we still use the sign-out/in sheets at the desk to track patient locations off the unit?

A: Yes, so long as the information disclosed is appropriately limited. For example, a sign-in sheet may not display medical information (such as, the medical problem for which the patient is being seen) that is not necessary for the purpose of signing in.

Q: How will this affect students having access to patient information during their training?

A: The Privacy Rule provides for "conducting training programs in which students, trainees or practitioners in areas of healthcare learn under supervision to practice or improve their skills as healthcare providers." BAPTIST HEALTH'S policies and procedures will continue to permit medical trainees access to patients' medical information, including entire medical records.

Q: Are hospitals able to inform the clergy about parishioners in the hospital?

A: Yes. The Privacy Rule allows this communication to occur, as long as the patient has been informed of this use and disclosure, and does not object. The Privacy Rule provides that a hospital or other covered healthcare provider may maintain in a directory the following information about that individual:

1) the individual's name;
2) location in the facility;
3) health condition expressed in general terms; and
4) religious affiliation. The facility may disclose this directory information to members of the clergy. For example, a hospital may disclose the names of Methodist patients to a Methodist minister unless a patient has restricted such disclosure.

Q: A hospital customarily displays patients' names next to the door of the hospital rooms that they occupy. Will the Privacy Rule allow the hospital to continue this practice?

A: Disclosure of patient names by posting on the wall is permitted by the Privacy Rule, if the use or disclosure is for treatment (i.e., to ensure that patient care is provided to the correct individual) or healthcare operations purposes (i.e., as a service for patients and their families).

Q: Can physician offices use patient sign-in sheets or call out the names of patients in their waiting rooms?

A: Yes. Covered entities such as physician offices may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The Privacy Rule explicitly permits certain "incidental disclosures" that occur as a by-product of an otherwise permitted disclosure.

For additional information or questions, please contact Kathy Roberts, Privacy Officer, at 501-202-1323

For Direct Physician Referral & Appointments

501-227-8478 or 1-888-BAPTIST(227-8478)

BAPTIST HEALTH is the largest not-for-profit healthcare organization in Arkansas.

Heart Center - Women's Center - Active Living - Orthopedics - Rehab Institute
Gastric Bypass - Stroke - Other Services - JCAHO Notice - Find a Doctor - Make an Appointment
Contact Us - About Baptist Health - Site Map - Home -