Answers to your questions about...

•You can release patient information to an employer as long as the patient okays it.

• You don't need a business associate contract with your telecommunications service for the hearing impaired.

•Patients' credit card payments don't need to follow a HIPAA-compliant format.

Disclosing information to employers

Q: A patient came to my office with a note from his employer, who wanted to know the patient's diagnosis. If I didn't provide the information, my patient informed me, he wouldn't be paid for his time out of the office. Do employers have the right to request such information?

A: Yes. Since employers aren't covered entities under HIPAA, they aren't subject to any of its confidentiality rules. On the other hand, you are a covered entity, and, therefore, can't release protected medical information except as defined by HIPAA. Generally, this means that the release must pertain to treatment, payment, or healthcare operations, or must be authorized by your patient, or must be required by law. In the case you describe, you may release medical information to your patient's employer, but only after your patient gives you his signed authorization.

Retaining original patient records

Q: For some time, I've been a solo practitioner in a satellite office 20 miles from my group's main office. Since the practice has elected to close my office, I plan to separate from the group, continue practicing in the satellite office by myself, and retain the original patient charts. My current partners say this would be a violation of HIPAA, but I believe my retention of the original charts is directly related to my patients' continuity of care. Who's right?

A: Neither of you. While HIPAA protects all individually identifiable health information, whether in electronic, paper, or oral form, it doesn't weigh in on who gets the records if there's a dispute. If your current group owns the satellite office space, it also owns the items in that space, including the paper records. On the other hand, the information in those records belongs to the patients themselves. Once they sign HIPAA-compliant authorizations, copies of their records may be sent to whomever they choose.

Services for the hearing impaired

Q: I sometimes use a certified telecommunications relay service to contact my patients with hearing or speech impairments. Is this service considered my "business partner" and, if so, must I enter into a business associate contract with it?

A: No. The telecommunications relay service is a free public service, available to all persons and businesses, including doctors, who needn't employ, contract with, or otherwise establish business relationships with the TRS. Thus, when performing the services you describe, the TRS is not acting for or on your behalf, and isn't your business associate.

Credit card payments

Q: My patients sometimes cover their copays with a credit card. Is this a standard transaction that must follow a HIPAA compliant format?

A: No. The standard transactions outlined in HIPAA don't include credit card payments by patients, who aren't considered covered entities under the law. Standard transactions that require HIPAA compliant content and format include verification of eligibility, authorization, and request for payment. Generally, such transactions are conducted between covered entities, including providers transacting business electronically, clearinghouses, and payers.

Margaret M. Davino (mdavino@kbrny.com) is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City. This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. Please submit questions via e-mail to mehipaa@advanstar.com, or by regular mail to Medical Economics, 5 Paragon Dr., Montvale, NJ 07645. ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.

Margaret Davino. HIPAA Consult: Answers to your questions about . . .. Medical Economics Sep. 3, 2004;81:21.