The Body: The Complete HIV/AIDS Resource
Follow Us Follow Us on Facebook Follow Us on Twitter Download Our App 
Professionals >> Visit The Body PROThe Body en Espanol
  • Email Email
  • Printable Single-Page Print-Friendly
  • Glossary Glossary


How Many Times Have You Heard the Word HIPAA?

And ... What Can You Do to Prepare for It?

Winter 2002/2003

We all know that privacy rules will have to be implemented in medical practices soon, based on the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Still, many will be caught off guard. Don't let your practice be one of them. Before time runs out, your office manager should investigate and work toward developing a plan to be in full operation by April 2003. But don't wait until then to expand your employees' awareness and basic knowledge.

Yes, you will need to develop and adhere to a manual of privacy policies and procedures. New forms will be implemented, such as a notice of privacy practices, patient consent and authorization forms, request for limitations and restrictions of protected health information (PHI), request to inspect and copy protected health information, request for amendment of PHI, business associates contracts, and so on. However, nothing will be as crucial as your employees' understanding of what patient confidentiality and privacy mean.

When we train medical office employees, we teach them a golden rule: Common sense is not so common.

Use Your Common Sense!

Here are some examples:

  • Dr. Smith's nurse calls her mom with the exciting news that her sister-in-law came to the office and had a positive pregnancy test.
  • A receptionist calls a friend to share that a celebrity came to her doctor's office. The physician is an HIV physician. The conclusion is made that this celebrity is infected or has been in contact with HIV.

These two people had access to this privileged information in the course of their employment, and their actions are definitely a breach of confidentiality. Do their employers have a confidentiality agreement in place? Are the employees aware that what they said might result in termination of employment?

New employees and volunteers should attend an orientation session to understand the ethical responsibility of maintaining patient privacy. Employees and volunteers gain access to personal and medical information regarding a patient and information about your practice that otherwise they would not have obtained. Your employees' and volunteers' files should contain a confidentiality agreement designed to protect both patient and practice information from being shared outside the office.

Throughout the day, we may be leaking patient information without our knowledge. The window that separates the reception area from the waiting room is not sound-proof-receptionists should not relate to other employees, or to anyone, patient information so loudly that other patients can hear. And doctors should be sure to dictate in a private area. Other suggestions include:

  • Not taking phone calls in patient rooms or out in the hall
  • Closing exam room doors
  • Not leaving charts or lab and X-ray results out in the open
  • Making sure that phone messages and appointment lists are not visible to nonauthorized individuals
  • Checking that information forwarded to your collection agency does not include a patient's diagnosis.

Under the privacy rule, physicians have the right to use and disclose patient medical information in order to carry out treatment, payment, or health care operations (also known as TPO), with the written consent of the patient. Make sure that there is a signed consent form in the patient's chart.

Remember the three monkeys, See no evil, Hear no evil, Speak no evil? Make sure your office handles information in such a tactful way that unauthorized people cannot see, hear, or talk about your patients' medical information.

The U.S. Department of Health and Human Services' Office for Civil Rights provides guidance on HIPAA at For a copy of a confidentiality agreement, visit, or you can find links to these documents on the Practice Management page at

Germania R. Echeverry, C.P.C., Clinical Management Solutions, Inc., your hands-on consulting team

Back to The Nexus Winter 2002/2003 contents page.

  • Email Email
  • Printable Single-Page Print-Friendly
  • Glossary Glossary

This article was provided by American Academy of HIV Medicine. It is a part of the publication The Nexus. Visit AAHIVM's website to find out more about their activities and publications.