2 followers Follow

HIPAA Privacy Rules - Questions and Answers

1-800 Notify takes HIPAA Security very seriously and we have had several questions about HIPAA Privacy and Security which we will address in this article:


Are appointment reminders permitted under the HIPAA Privacy rule without patient authorizations?


Appointment reminders are considered part of treatment of an individual and, therefore, can be made without an authorization.

May physician's offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients' homes?

Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit  covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.

A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See  45 CFR 164.510(b)(3).

In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See  45 CFR 164.522(b).

Is it legal for a healthcare organization (hospital, practice, medical billing company, physical therapy clinic, etc.) to share patient data with an outside company like 1-800 Notify?


There are two separate sets of rules that govern sharing of information outside your organization. (1) HIPAA (the Health Insurance Portability and Accountability Act of 1996), which establishes medical practices as “Covered Entities” and regulates how you use and disclose Protected Health Information (PHI). PHI is any information concerning health status, health care or payment for health care that can be used to identify an individual.

(2) The HITECH Act (Health Information Technology for Economic and Clinical Health Act of 2009), which says that you can safely share information with your “Business Associates” (e.g. 1-800 Notify). This assumes that the Business Associate is compliant with HIPAA privacy and security rules.

IMPORTANT: 1-800 Notify is happy to sign your Business Associate Agreement so that you are covered under the Business Associate rules.


Are automated phone calls, text messages and phone answering machine messages HIPAA-compliant?

Yes. The HIPAA Privacy Rule allows health care providers and related entities (such as 1-800 Notify) to communicate with patients regarding their health care and payment for health care — including communicating via phone, text, email or in any other manner.

According to 45 C.F.R § 164.510(b)(3), a covered entity may leave a message on an answering machine, with a family member, or with another person who answers the phone when the patient is not home, so long as a reasonable precaution is taken to limit the amount of information disclosed in such a non-personal interaction. For example, 1-800 Notify’s phone calls (and answering machine messages) do not contain any health-specific or treatment-specific information and therefore comply with this requirement.

Are billing reminder calls permitted by covered entities under the HIPAA Privacy rule without patient authorizations?

Yes. According to HIPAA Rule (source: Paragraph 164.506 (a) Standard: Permitted uses and disclosures... , a covered entity (e.g. medical provider, medical group, medical billing firm), may use or disclosed protected health information (example: guarantor or responsible party full name) for treatment, PAYMENT, or health care operations as set forth in paragraph (c).
Paragraph (c): Implementation specifications: Treatment, payment, or health care operations. (1) A covered entity may use or disclose protected health
information for its own treatment, payment, or health care operations.

NOTE: The exceptions to this rule that require prior authorization of the patient are:
1. Psychotherapy Notes
2. Marketing
3. Sale of Protected Health Information

Martin Trautschold

Please sign in to leave a comment.