Under the HIPAA Privacy Rule, covered entities (CEs) are restricted in how they are permitted to use and disclose protected health information (PHI). However, CEs may disclose PHI without authorization if the disclosure relates to the treatment, payment, or healthcare operations. To conduct business, CEs often provide patients with patient appointment reminders. As appointment reminders are considered part of the treatment of patients, they are permitted without prior authorization from the patient.
What is Permitted to be Disclosed in Patient Appointment Reminders?
Sending patient appointment reminders via mail, email, or leaving a voicemail reminder, are permitted; however, before sending patients email reminders, covered entities must ensure that they have adequate safeguards in place securing the information.
When issuing patient appointment reminders, covered entities must restrict the information that they disclose in the reminder. The HIPAA Privacy Rule mandates that disclosure of PHI adheres to the minimum necessary standard. As such, when issuing patient appointment reminders, covered entities should only disclose the information needed to confirm the appointment.
The type of information that may be disclosed for appointment reminders are as follows:
- Patient’s name
- Appointment date and time
- Covered entity’s name
- Covered entity’s phone number
Disclosing information such as the nature of the patient’s appointment is considered an unauthorized disclosure of PHI. Covered entities should never disclose information regarding a patient’s treatment, health condition, or test results (via phone, email, or mail) unless patients sign an authorization form permitting their information to be disclosed in this manner. Disclosing health information without prior consent can result in the accidental disclosure of PHI, as a patient’s family member or friend may have access to the patient’s voicemail, email, or mail.
Although disclosing health information to a patient’s family member or friend is not permitted without authorization, covered entities may leave a message with a person other than the patient, provided that no health information is disclosed.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group.
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches, and HIPAA violations. Are you and your clients/patients vulnerable, too?
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.