Excerpted from The Biggest Legal Mistakes Physicians Make: And How to Avoid Them
Edited by Steven Babitsky, Esq. and James J. Mangraviti, Esq. (©2005 SEAK, Inc.)

 Download Free 646 Page E-book: The Biggest Legal Mistakes Physicians Make and How to Avoid Them

Executive Summary

Many physician groups believe that complying with the privacy rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an arduous task. They may therefore think that noncompliance is their best route or that being overprotective of information is an easy way to avoid the rule. However, as patients become more educated on the requirements of the rule and on the rights of individual patients regarding protected health information (PHI), patients could file complaints against the physician group, a covered entity under the HIPAA privacy rule. The rule subjects providers to stiff penalties, including $100 per violation up to a maximum of $25,000 per year, or even as much as $250,000 for a violation that is knowingly done with the intent to sell, transfer, or use PHI for commercial, personal, or malicious advantage, plus imprisonment of not more than 10 years. Given the complexity of the rule, many physician groups have not taken the time to understand the purposes of HIPAA or undertaken HIPAA compliance in a serious manner. Such mistakes can lead to costly results and could compromise the goodwill of the physician group in the eyes of their patients. 

Mistake 1        Believing That HIPAA Enforcement Will Never Happen to the Physician Group

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is charged with enforcing the HIPAA privacy rule against covered entities, such as physician groups. According to OCR Director Richard M. Campanelli, between April 14, 2003, and the end of February 2004, his office received more than 4,700 HIPAA privacy complaints. In fact, these complaints have been increasing: The total number of complaints in April 2004 was more than double the number in October 2003 (in only six months), which shows that the learning curve for patients in becoming familiar with their rights under the privacy rule is on the rise. According to Campanelli, his office is now receiving an average of about 100 privacy complaints per week. Many different types of covered entities have been subject to the privacy complaints, but physician practices specifically have drawn more complaints than other types of organizations (i.e., hospitals, pharmacies, outpatient centers, and group health plans).

Action Step     Physicians should consult with counsel at the earliest point possible to ensure that their office has an appropriate HIPAA privacy rule compliance plan. 

Mistake 2        Having a Compliance Plan in Form Only

Many physician groups believe that having a standard or form HIPAA compliance plan or manual provided by a professional association or obtained from a colleague will satisfy HIPAA compliance requirements. However, having a compliance plan that is not effective or is not followed can be worse than having no compliance plan at all because not following one’s own HIPAA compliance plan can be taken as evidence that the violation was knowing and willful. Furthermore, having a form HIPAA compliance plan only without proper monitoring or implementation will not serve its intended purpose—to educate and guide the practice and thus alleviate potential complaints to the OCR for violations of the privacy rule.

Action Step     Physician groups should implement and maintain an ongoing HIPAA privacy rule compliance plan tailored to their practice and not merely a form or standardized off-the-shelf plan.

Mistake 3        Believing That Health Care Providers Must Have HIPAA Authorization Before Disclosing PHI to Other Health Care Providers

Many physician groups believe that in order to discuss the PHI of a patient with another health care provider (e.g., a hospital, nursing home, or consulting physician), a proper authorization under HIPAA must first be signed by the patient. The HIPAA privacy rule, however, does not require an authorization in this instance. A covered entity may use or disclose PHI for its own or another provider’s treatment activities (and, in certain circumstances, for payment and health care operations purposes, as well) without an authorization. The covered entity is required to verify the identity of the person requesting the PHI and the authority of such person to have access to the PHI if the identity of the person is not known to the covered entity. The covered entity may rely on documentation, statements, or representations that meet this requirement, if reasonable under the circumstances. Again, one main point of the privacy rule is that HIPAA privacy should not affect treatment or the quality of treatment in rendering health care services. For treatment purposes, therefore, HIPAA does not require an authorization or otherwise restrict providers when using or disclosing PHI, except as noted above.

Action Step     Physician groups should clearly define when authorizations are needed in their uses and disclosures of PHI, and should not restrict uses and disclosures of PHI in the treatment context.

Mistake 4        Believing That the Minimum Necessary Standard Applies to All Disclosures

The minimum necessary rule refers to the standard under the HIPAA privacy rule requiring that the use, access, and disclosure of PHI to health care providers and other covered entities be limited to the least amount needed to accomplish an intended purpose. Many physicians, however, wrongly believe that this minimum necessary standard applies to all uses and disclosures of PHI. Instead, the rule states that the minimum necessary standard does not apply to uses or disclosures: (1) by health care providers for treatment; (2) to the individual who is the subject of the information; (3) made pursuant to a valid HIPAA authorization; (4) required for compliance with the standardized HIPAA transactions; or (5) to HHS when disclosure of information is required under the rule for enforcement purposes. Again, as a rule of thumb, the minimum necessary standard should be part of any physician group’s HIPAA compliance plan. However, the minimum necessary standard should never restrict the use or disclosure of PHI by health care providers in the course of treatment.

Action Step     Physician groups should clearly define in their HIPAA compliance plans when the minimum necessary standard applies.

Mistake 5        Believing That PHI Cannot Be E-Mailed or Faxed under the HIPAA Privacy Rule

Neither the HIPAA privacy rule nor the security rule prohibits the faxing or e-mailing of PHI. The privacy rule allows covered entities to share PHI for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. A covered entity may want to consider implementing a mechanism to encrypt and decrypt electronic health information to address technical safeguards in the use of e-mail and faxes.

Action Step     Covered entities should have a policy that describes when PHI may be faxed or e-mailed, and under what circumstances they will verify the requestor and receipt of the information.

Mistake 6        Believing That Physician Groups Should Have a Business Associate Agreement with Anyone Who Might Have Access to PHI

The HIPAA privacy rule defines a business associate as one who performs, or assists in, an activity on behalf of the covered entity that requires the use or disclosure of PHI. A janitor or delivery service should generally not be using PHI on behalf of the covered entity. Any access obtained by a janitor or delivery person would likely be incidental and not subject to HIPAA privacy violations, therefore a business associate agreement is not necessary under the HIPAA privacy rule. However, if the janitor or delivery people are unsupervised, and if the covered entity does not secure PHI in a reasonable fashion, then a violation of the rule could ensue under a lack of security, rather than a business associate, violation.

Action Step     Physicians may not need business associate agreements with every vendor, but physician groups should not assume that the HIPAA privacy rule will permit all incidental uses and disclosures of PHI, especially when those incidental uses and disclosures are caused by a lack of HIPAA security compliance. 

Mistake 7        Believing That Patients Must Sign the Notice of Privacy Practices for the Physician Group

Many physicians believe that patients who do not sign a Notice of Privacy Practices cannot be treated by the physician group. However, the HIPAA privacy rule requires only that a covered entity provide the notice and make a good-faith effort to obtain a written acknowledgement of the patient’s receipt of the notice. Physicians are often precluded from obtaining signatures from patients in an emergency situation, or sometimes the patient just refuses to sign. If a patient refuses to sign or a Notice of Privacy Practices cannot be signed immediately, the privacy rule allows the physician group to treat the patient, but proper documentation of the circumstances must ensue to protect the covered entity from HIPAA privacy violations.

Action Step     When a patient refuses to sign a Notice of Privacy Practices, the physician group should attempt to obtain an acknowledgement that the patient received the notice, and, if not, the group must at least document its attempts to provide the notice to the patient.

Mistake 8        Believing That Physician Groups and Their Employees May Not Discuss the Care of a Patient with Family Members

The HIPAA privacy rule does not prohibit physician groups or their employees from speaking to a patient’s family members about the patient’s care and treatment. The rule, however, does give the right to patients to restrict disclosures of their PHI to family members if they choose to do so. But HIPAA privacy rule 45 CFR 164.510(b) permits covered entities to share information directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. The physician group, therefore, may share relevant information with the family and these other people if it can reasonably infer, based on professional judgment, that the patient does not object. Certainly, if the patient in any way chooses to restrict the PHI to any one of these persons, the physician group must obey that restriction or a HIPAA privacy rule violation will ensue.

Action Step     Physicians should carry out the normal course of treatment on patients and, in relaying information to family members and friends, have the proper policies and procedures in place to comply with the HIPAA privacy rule.

Mistake 9        Believing That Storage of PHI Must Be under Lock and Key, with an Armed Guard, and Appropriate Alarm System

Many physicians have succumbed to “HIPAA-mania,” believing that safeguarding PHI requires myriad security devices and controls to protect leakage of the information. However, the HIPAA privacy rule does not specifically require locking up medical records or having them under 24-hour watch. For example, many groups believe that security for medical records and access to medical records in the office space will require new construction in the office or new storage facilities. However, the privacy rule requires reasonable compliance measures to protect privacy; nowhere in the rule is it required that physician groups modify office space to comply. Rather, physician groups should concentrate on taking reasonable steps, based on their individual circumstances and resources, to prevent unwarranted uses and disclosures of PHI in the office. Locks and other security measures may be appropriate and reasonable, but are not necessarily required. These reasonable steps should include monitoring unwarranted uses and disclosures of PHI and taking steps to correct those deficiencies when they arise through awareness and training measures.

Action Step     Physician groups should consider creating a HIPAA privacy committee to address storage of PHI in the office and take reasonable steps appropriate to the circumstances and resources of the group to safeguard that information.

Mistake 10      Believing That the HIPAA Privacy Rule Prevents the Use of Sign-in Sheets, Calling Out the Names of Patients in Waiting Rooms, and Appointment Reminders

Covered entities, such as physician offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA privacy rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called or see other patients’ names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in, such as the medical problem for which the patient is seeing the physician. (See 45 CFR 164.502(a)(1)(iii).) Appointment reminders are considered by HHS to be part of treatment, and therefore are allowed without an authorization. The privacy rule also does not prohibit physician groups from leaving messages for patients on their answering machines. However, as usual, to reasonably safeguard the individual’s privacy, physician groups should take care to limit the amount of information disclosed on any answering machine. For example, a physician group might want to leave only its name, telephone number, and other information necessary to confirm an appointment, or ask the individual to call back.

Action Step     Physician groups should identify potential risk areas in the office for unwanted uses and disclosures and should develop policies, procedures, or action plans to reasonably limit improper uses and disclosures without limiting the sometimes necessary incidental or other disclosures that the privacy rule allows. Physician groups should also educate their employees and provide periodic training to employees on the privacy rule and how to use and disclose PHI on a daily basis in the office. 


Physician groups that become aware of these mistakes will be better equipped to deal with the HIPAA privacy rule and will better serve their patients while complying with the rule. Failure to understand these mistakes can lead to expensive problems for physician groups and make the practice of medicine unnecessarily difficult.

Written by:

Neville M. Bilimoria, Esq. 

Peer reviewed by:

John A. Knapp, Esq.

Download Free 646 Page E-book: The Biggest Legal Mistakes Physicians Make and How to Avoid Them