Safeguards

The Privacy Rule does not require these types of structural changes be made to facilities.

Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care.

Yes. Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited.

No. The HIPAA Privacy Rule does not prohibit covered entities from engaging in common and important health care practices; nor does it specify the specific measures that must be applied to protect an individual’s privacy while engaging in these practices.

Yes, the Privacy Rule permits this practice as long as the clinic takes reasonable and appropriate measures to protect the patient’s privacy.

The Privacy Rule explicitly permits certain incidental disclosures that occur as a by-product of an otherwise permitted disclosure—for example, the disclosure to other patients in a waiting room of the identity of the person whose name is called.

No. The basic standard for minimum necessary uses requires that covered entities make reasonable efforts to limit access to protected health information to those in the workforce that need access based on their roles in the covered entity.

What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information?

May a covered entity dispose of protected health information in dumpsters accessible by the public?

May a covered entity hire a business associate to dispose of protected health information?

May a covered entity reuse or dispose of computers or other electronic media that store electronic protected health information?

How should home health workers or other workforce members of a covered entity dispose of protected health information that they use off of the covered entity’s premises?

Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?