HIPAA FAQs
This page offers answers to commonly asked questions from clinics about HIPAA. If you can’t find your question here, please reach out to hipaa@bu.edu.
Quick links: De-identified Patient Information | Responding to Online Reviews
Sharing Sensitive Health Information
Certain categories of health information are subject to additional protections under federal and state laws (“Sensitive Health Information”) and have stricter rules about how they can be used or shared.
Do I need written authorization to share sensitive health information?
Generally, yes. Sharing sensitive health information typically requires written authorization, even in situations where federal law (such as HIPAA) might otherwise permit the use or disclosure.
Does verbal permission count as authorization?
No. Verbal permission is not sufficient for sharing sensitive health information. A valid written authorization is required unless an exception has been confirmed.
What is considered “sensitive health information”?
Sensitive health information includes:
- HIV/AIDS related information
- Sexually transmitted disease information
- Substance use disorder (alcohol or drug treatment) records
- Genetic testing information
- Information related to diagnosis or treatment of pregnancy (including abortion care)
- Mental health diagnosis and/or treatment provided by a psychiatrist, psychologist, or allied mental health professional
- Domestic violence, sexual assault, or social work counseling communications
Can I rely on a general authorization to share sensitive health information?
No. The authorization must specifically identify the sensitive health information to be disclosed. If it does not, you should not release that information.
Where can I obtain an authorization to share sensitive health information?
What should I do if I can't obtain written authorization, but believe the information needs to be shared?
Do not disclose the information until you have confirmed that it is permissible to share without written authorization. Please contact your HIPAA Contact or email hipaa@bu.edu for guidance.
De-identified Patient Information
De-identified patient information is data that has had personally identifiable information (e.g., a person’s name, email address, or social security number), including protected health information (PHI; e.g. medical history, test results, and insurance information) removed.
How can I use de-identified patient information?
If the information is truly de-identified under HIPAA, it is not PHI and you do not need an Authorization to use it for classroom and other educational presentations, publications, promotions or other purposes.
How do I know if the information is de-identified?
Ask these questions:
- Does the information include the patient’s name, initials, email address, phone number, social security number, or medical record number?
- Does the information include any dates relating to the patient, such as patient date of birth, date of treatment, dates of appointments?
- Does the information include geographic identifiers, such as the patient’s address, or even the patient’s town or zip code?
- Does an image (photo or video) show the patient’s face?
- If the image does not show the patient’s face, is it possible to identify the patient from what is shown?
- Does the information or image include any of the 18 HIPAA identifiers? See complete list in BU HIPAA Policy 1.4.
- Does the information include any other element that may be used alone or together with other available information to identify the patient?
If you answer yes to any of these questions, you need an Authorization.
Examples of De-identified Patient Images (No Authorization Needed)
- Video showing patient’s gait when showing only from the shoulders down
- Photo or video of the patient walking that shows only patient’s back
- Images of body parts that are not identifiable
Examples of De-identified Descriptions (No Authorization Needed)
73-year-old, active woman underwent a routine cardioversion for atrial fibrillation but developed multiple complications, including sepsis and respiratory failure, resulting in weakness.
Patient is a 30-year-old female with a history of right-sided headaches, after a motor vehicle accident, which occurred 1 month ago. Since the accident she reports having constant headaches. Her pain is described as a dull ache. The pain is located in the neck, back of the head, and it sometimes travels to the front of the head and into the eye. She reports daily headaches that can last anywhere from 30 minutes to hours
Example of Identifiable Descriptions (Authorization Needed)
Ms. Wilson was born in July of 1953 and has worked for 40 years as a welder. Her COPD was first diagnosed in 2007. In the last quarter of 2017, she had a series of 3 COPD exacerbations. These exacerbations required medical intervention with antibiotic treatment and oral steroids; she was hospitalized at Boston Medical Center briefly during the last event.
Key Definitions
PHI: For this purpose, assume PHI is any information a clinic has about any of its patients. This includes registration and payment data, demographics, the patient medical record, oral information, photos, other images and audio/video records.
De-identified PHI: PHI from which you have removed patient name, dental record number, address, contact information and all dates (DOB, treatment dates, etc.). See complete list at BU HIPAA Policy 1.4.
Patient Authorization: A signed form in which the patient gives authorization for his/her PHI to be used for a purpose other than treatment, payment and health care operations.
Minimum Necessary Rule: Always use the minimum amount of patient information needed.
Responding to Online Reviews
Patients will occasionally leave online reviews (e.g., Google reviews, Yelp, etc.) about their experience at a healthcare facility and/or about their provider. It is tempting to respond to those reviews, whether good or bad. However, responding to a review can be a HIPAA violation and a violation of state privacy laws, so it is best practice to not respond at all. The following are some FAQs about responding to online reviews:
My patient wrote a review about me online. Should I respond?
No. Your response may be an impermissible disclosure of patient information and a violation of HIPAA and state privacy laws.
So, I should just ignore the fact that the patient wrote a review?
Absolutely, not. You should reach out to the patient offline to let them know you saw their review. You can do this at their next appointment. If the review was positive, you can tell them how much you appreciated their kind words. If the review is negative, you can hear what they have to say, and see if you can address their concerns. Although negative reviews are never enjoyable to hear, it may be an opportunity for improvement.
The patient’s review is completely made up. Does it matter that the review isn’t even true?
Unfortunately, you cannot respond to the patient’s review to say it is untrue. However, you can reach out to the website that hosts the review and ask them to remove it, since it is false.
The patient identified themself in the review, so they already disclosed their own information. Why can’t I respond?
Even if a patient identifies themselves in a review, it does not give you the ability to respond and acknowledge that they are a patient. There is no exception under HIPAA or state law for responding to a patient’s review without the patient’s authorization.
What is the big deal if I do respond?
The Office of Civil Rights (OCR) has entered into settlement agreements for responding to online reviews, which include fines and monitoring by the government, with several healthcare providers. This issue is on OCR’s radar and is something they are enforcing.
Even if I can’t respond, can someone else from my clinic respond?
We strongly recommend that no one at your clinic respond to online reviews. It is challenging to provide a meaningful response to a review when you can’t acknowledge that the person giving the review is a patient. However, if the clinic feels a response is necessary, an individual at the clinic can be specifically designated to respond to online reviews. Such person can only respond to the online review with a generic statement, which says something like, “Our office strives to provide excellent service to all patients, and we do our best to meet this goal. We encourage any patient who would like to discuss their experience to contact us directly,” or “Thank you!”
This was super helpful, but what if I have more questions?
You can always reach out to hipaa@bu.edu with any questions you have about responding to online reviews or any other health privacy matters.