top of page

Are You Complying
with HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law which prohibits the use and disclosure of patient healthcare information, unless the person gives written consent allowing you to do so.

It does so through a set of regulations called the Privacy Rule, which came into effect on April 14, 2003. According to the Privacy Rule, if a patient discovers that information regarding their health – or other personal data – has been disclosed without their written permission, they have the right to demand both civil and criminal charges to be brought against healthcare providers.

This can lead to fines of up to $25,000 and jail terms of up to 10 years – and even higher civil penalties. So, this is serious business.
Generally, though, it’s not that difficult to comply with as long as you know the basic requirements of this law.


Basically, the HIPAA Privacy Rule boils down to this: Caregivers cannot legally view, discuss or repeat any healthcare information about the clients in their care, unless they have given them permission to do so.

There is one big exception to this rule: Healthcare information can be disclosed to other caregivers who are involved in the care and treatment of that client. In other words, doctors, nurses and others can readily exchange health information with each other about a client who they are treating. However, a client can give permission for disclosure of their health information to anyone.

And, according to the privacy law, healthcare institutions must give their patients details on how they intend to use their healthcare information. Clients are asked to sign a document that they did receive this notice.

At this point, your clients can also add whatever restrictions they want relative to disclosure of their health information. They can request that no information be given out about them to anyone, or that just certain persons should be given this information, or that certain friends and relatives can be told but others not told, and so on.

Since these permissions can be different with each of your clients, you need to make sure that you know about them, and that you follow their individual instructions closely.

The Privacy Rule covers all medical information – written, oral or in electronic format – about your clients. This information is called Protected Health Information (PHI), and refers to a person’s past, present or future physical or mental health condition according to the HIPAA law.

Examples of PHI include information on the person’s:

  • Diseases and conditions

  • Medications and other treatments

  • Tests results (e.g., blood tests)

  • X-ray and MRI scans

  • Dietary restrictions


Here are some basic points to remember about the Privacy Rule:

  • The law requires that someone in your institution inform your clients about how you intend to use information about them and give them the opportunity to restrict the disclosure of their information, if they desire.

  • You cannot inform others about a person’s medical condition without permission from the client unless they are directly involved in the care of that client.

  • You should not leave personal medical information lying around so that others can see it. Medical information and records should be kept in binder, folders or envelopes, out of sight of others.

  • You should not be talking about the medical condition of your clients with anyone not directly involved in caring for the client, unless you have written permission from the client to tell others.

What this means is that the days are long gone when you can run around town announcing that prominent local citizen Mrs. X has been admitted to your agency with Alzheimer’s Disease. Under these rules, you cannot tell anyone about Mrs. X and her condition, unless Mrs. X has signed permission to do so.

If you do this without her permission, Mrs. X. can file a complaint with federal officials, and fines and civil penalties can be issued against you and your company. And note this: the US Department of Health and Human Services (HHS) has a very active enforcement division that investigates these complaints, and the penalties can be large. It is being taken very seriously by federal officials.

One of the most frequent questions among caregivers is, “What can I tell family and friends?”

That’s an interesting question, because family and friends, once they learn that a loved one is using home care services, are quick to get on the telephone or visit to try and find out how their loved one is. They are justifiably very concerned, and want to be available to lend friendship and support.

This is an area where you’ll want to double-check your own agency’s privacy regulations, because they may be different than the HIPAA regulations. Plus, different state regulations may also apply. HIPAA officials state that it is generally okay to inform family members and personal friends about the general condition of the client, as long as the client does not object to this. Here’s what HIPAA says about this, “HIPAA does not cut off all communications between providers and the families and friends of patients. Doctors and other providers covered by HIPAA can share needed information with family, friends – or even with anyone else a patient identifies as involved in his or her care – as long as the patient does not object.

“The Privacy Rule also makes it clear that – unless a patient objects – doctors, hospitals and other providers can disclose information – when needed – to notify a family member or anyone responsible for the patient’s care, about the patient’s location or general condition.

“Even when the patient is incapacitated, a provider can share appropriate information for these purposes if he believes that doing so is in the best interest of the patient.”

It’s recommended that you only give out basic information about the client’s condition and avoid the medical details, except to those involved in the client’s medical care.

After a client is under your care for awhile and medical personnel have discussed the disclosure of information in more detail, the client may well give permission for more disclosures of information about them to friends and relatives. But, until they have done this, the basics of the Privacy Rule apply.

HIPAA officials state that, in facilities, you can tell visitors basic information about your client if they ask about the client by name – and if the client has okayed the release of this basic “directory information.”

Visitors can be given the client’s phone and room number, and general health condition such as “good,” “serious,” or “critical,” but not specifics unless the cient has given permission to give out this information.

Religious affiliations may also be given to clergy only, and clergy only do not have to ask about your clients by name in order to get this information. Note that your state may have stricter regulations, which you’ll need to be familiar with.

Sometimes, a client may be incapacitated in such a way that they cannot give you permission to disclose any information. In this situation, HIPAA regulators state that, if it is determined to be in the best interests of the resident, medical information can be disclosed to relatives or close personal friends – but only that information which is directly related to that person’s involvement with the client.

Basically, the Privacy Rule means that detailed medical information about your clients should not be disclosed to anyone not directly involved with the care of that client, unless given permission to do so. This means that frontline caregivers need to be careful about talking about and handling medical records and information about their clients.

Here are some tips on how to do that:

  • Use a low voice when discussing medical situations with others. This also applies to telephone conversations.

  • Use a private area to discuss medical information.

  • Keep messages left for families and patients private. These should be brief and general.

  • Make sure that neither your clients, nor their visitors, have access to areas where records are stored.

  • Make sure the agency binder is safely stored out of sight when not in use.

Remember, the scope of the Privacy Rule is to safeguard sensitive information about the physical and mental health of your clients, and their personal details. It’s another means of showing respect to your clients; a way to ensure their dignity and worth as well as help you be a successful and compassionate caregiver.

bottom of page