Privacy Frequently Asked Questions


If a patient has completed a Request for Alternative Communication regarding payments, are we obligated to abide by this if we are calling them about pymts? (E.g. a request turned in stating that all phone calls about billing should come directly to me, not my husband.)

It is very important that if ECU agrees to accept the request of alternate communications, we must in fact be able to comply with the patient’s request. Before agreeing to the request, we must be assured that we will be paid (we should make the appropriate accommodations for payment ahead of time). Requests pertaining to telephone and/or address communications may be approved without the University Privacy Officer’s authorization. However, all requests must still be forwarded to the University Privacy Officer. If ECU agrees to the request, we must abide by it. Of course, ECU also has the right to deny any request if it is not reasonable or that we can make appropriate accommodations for.


What is an example of when we would use de-identified information?

Mostly for research, internal purposes, and students. If a student writes a summary of a visit and turns this into his supervisor, he should be using de-identified information. De-identified information is not protected under the privacy rule nor is it a part of the DRS.


Do we need authorizations to send immunizations?

No. Please refer any requests for disclosures to HIS/S. Any disclosures completed by ECU must be annotated in the Accounting for Disclosures log.


Our clinic completed the intake with our patients in a room that may have two patients side by side. The EMR screen is up in this same room. Is this okay?

It depends. HIPAA does not require us to “tear down walls” or make physical changes to our clinics or facility. This type of disclosure is considered to be incidental. However, it is important for clinical staff to use their professional judgment with these sensitive issues. If a certain dept. wants to offer their patients more privacy, it is optional and can be beneficial. These accommodations would need to be handled from within that department or clinic. It may be necessary for them to move things around a little to help alleviate some of these disclosures (if at all possible). E.g. try to turn the monitors away from the patients’ view, so PHI is not as easy to see and/or read. But, under HIPAA we are not required to physically change our facility.


If a patient wants a more confidential area to check in for an appointment, are we required to provide this?

No. HIPAA does not require us to provide these accommodations. However, it is important for clinical staff and departments to use their professional judgment with these issues. If a certain department wants to be able to offer this, that is optional. Again, these accommodations would need to be handled from within that department or clinic.


Is a provider responsible to get an authorization from the patient if he gives the patient a copy of his lab results during the office visit?

The answer to this questions is no; the provider would not have to obtain an authorization. However, it is very important that if a provider gives this information, he must be aware if the patient has an Alternate Communication Request and approval on file. E.g., the patient may have requested (and ECU has accepted the request) that she does not want any information provided to her about her treatment and/or results of lab results with her husband around. Hopefully, these situations will be very rare, but the provider will still need to know if some sort of Confidential Communication means has been established. This information can be reviewed from within Logician. Any requests for multiple documents from the patient’s chart must be forwarded to HIS/S Release of Information Office.


I’m referring a patient somewhere outside of ECU. Can I still send the other doctor information regarding the patient?

Yes, we can send this information without an authorization because it falls under the standard of privacy for treatment. We also will have the patient sign a general consent, Outpatient Authorization and Consent (by NC law). This allows us to send information for treatment, payment, and other healthcare operations.


Related to minors, if someone other than a legal guardian brings a minor into the clinic, will they need to get that individual to sign the Notice of Privacy Practices?

Yes, they will still need to sign for that patient. It will be legally binding.


Where can I get HIPAA forms if a patient requests Alternate Communications or a Request for Restrictions on their PHI?

All HIPAA Privacy policies and forms are located on the Privacy Forms page.