10/23/2002 HHS Responds to Frequently Asked Questions On October 2nd, the Department of Health and Human Services (HHS) posted responses to questions frequently asked about the HIPAA Privacy Rule. The FAQs provide additional guidance about an individual's right to review his/her medical record, safeguards required when disclosing protected health information (PHI), and incidental disclosures and the minimum necessary rule. The following is a brief summary: PATIENTS' REVIEW OF THEIR MEDICAL RECORD. Who pays for the cost of copying medical records that patients request as permitted by the Rule? Covered entities may impose reasonable fees for the cost of copying and postage. Fees must be based upon the actual production costs incurred by the entity, which would include the cost of labor, supplies, and postage; with the exception that costs associated with the search and retrieval of the requested information cannot be recovered from the patient. The covered entity may charge a fee for preparation of a summary or explanation of PHI, in those cases where a patient has agreed to receive such a summary or explanation in lieu of the actual records. SAFEGUARDS TO PROTECT PHI. Can covered entities transmit PHI via fax? As long as the disclosure is permitted under the Rule, it can be made by fax or any other means. However, whatever the chosen means, it is subject to the reasonable and appropriate administrative, technical, and physical safeguards that covered entities are required to implement under the Rule (i.e., security considerations). An example of such safeguards would include requiring employees to confirm the fax number of the recipient prior to sending the fax, and making sure the fax machine is not accessible except to those that are authorized to use it. INCIDENTAL DISCLOSURES & THE MINIMUM NECESSARY RULE. Are patient sign-in sheets prohibited under the Rule? What about calling the names of patients in a waiting room? Just to dispel any remaining uncertainty about this, HHS is telling us again that disclosures resulting from using sign-in sheets and calling-out for patients in waiting rooms are considered the incidental by-product of otherwise permissible disclosures related to treatment, payment, and health care operations. Both practices are permissible, but only to the extent that reasonable and appropriate safeguards have been implemented to protect the privacy of PHI and limit the disclosure to the minimum amount necessary. For example, sign-in sheets should only require patients' names, not social security numbers, reason for visit, symptoms, or any other personal information which may be obtained privately. Similarly, displaying the names of patients next to the door of their hospital rooms and placing patient charts outside exam rooms are also permitted under the Rule subject to the same requirements.