FAQ: Privacy, HIPAA, Medical Records, and You
Conversations around privacy, especially in a healthcare setting, have come up often lately, and I wanted to share some of the thoughts and philosophy I have around it as a practitioner - and a journal entry here seemed like the easiest way. (It definitely isnβt a topic that I can boil down to an Instagram caption!) Some of this may seem like a bit of an odd topic, coming from an acupuncturist, but I hope the information is useful to you, and also gives you an idea of what I am thinking about while operating my practice!
My philosophy
Des Moines can often feel like a small town where everyone knows everyone, so itβs really important to me that patients understand that their health information, stories, and other things they share with me are private. My philosophy boils down to this: I prioritize patient privacy whenever possible - not just to follow HIPAA, but also as a matter of principle. This means:
I donβt share that you are (or arenβt!) my patient with anyone, even your family members, without your consent. I donβt take insurance and I always require payment at the time of service, so this information also wonβt reflect on bills in the mail or on statements from your insurance company. Though I deeply appreciate referrals, I wonβt let you know if the people youβve referred have contacted me or have made an appointment (even if you ask!).
By extension, I donβt share when your appointment times are with others. Some people like coordinating appointment times with friends or family, which is great! But that is something you will need to work out together. (I suggest sitting down with the booking software together and picking your appointment times.)
I donβt discuss your health history or other information you tell me with others, whether that is a family member, friend, or just a random community person. This should go without saying, but Iβm saying it anyway! This includes conversations within the clinic or out in the community. I have a pretty decent poker face, and will generally act as though each time I hear a story, itβs the first time. (And, sometimes with ADHD, it feels like it is! π)
I require written permission to release records or discuss your case with other healthcare providers or with designated individuals (such as family members). This is normal in the health care setting, and you may have filled out these forms before at other providersβ offices. You may want to release records so that I can coordinate your care with another provider, or so a family member can help keep track of your healthcare - let me know if that is the case, and I will provide the form to you.
I wonβt discuss your care with you in public settings. If I see you around town, I wonβt ask you about something youβve shared with me in the clinic.
I donβt text you about your health because text messages are not encrypted (more on this in a minute) and arenβt HIPAA compliant. If you want to change appointment times or cancel appointments, you can text me, but emailing or visiting the patient portal is more secure. I ensure my booking/charting software and email are HIPAA compliant.
I use a VPN for all my internet traffic when doing any booking/charting. If you donβt know what that means, donβt worry about it (or watch this 5-minute YouTube video here, if youβre curious) - just understand that it provides more security to my internet traffic.
Basically, wherever and whenever it is an option, I err on the side of protecting your privacy. This is sometimes frustrating to people, but it is more important to me that patients know the information they share with me is confidential.
Privacy Limitations
But, it is crucial to understand that there are limits to patient privacy that are not in my control. These limits actually apply to almost all healthcare providers, so itβs generally good information to keep in mind! These limits are described in the HIPAA/privacy form that you sign before your first visit, but for clarity, Iβll highlight a few points here:
I am considered a mandated reporter by the State of Iowa. This means I am required to report if it appears that a child or dependent adult/elder is being neglected or abused. For more information on this, visit Iowaβs website on Mandated Reporting.
Additionally, I am ethically bound to report if you share that you have a plan to harm yourself or others. This is pretty self-explanatory.
Medical records (including those created during your acupuncture treatments) can be subpoenaed in certain circumstances. There are actually many circumstances in which your medical records could be requested for law enforcement purposes; to read more on that, visit the US Health and Human Services website. While I will, of course, consult with my attorney, in the end, I canβt just choose not to turn over records if subpoenaed.
Encrypting messages
There have been some news stories in the past few years discussing people who were charged and/or found guilty of crimes due to having their Facebook messages obtained by law enforcement, which brings up an important issue to take into consideration.
Messaging software or apps (like Facebook Messenger) that we use arenβt automatically protected and people could either intercept them and/or the company can have a record of them. This means your messages could also be obtained by law enforcement, or even by others, depending on the situation. Another example is using messaging apps (like Teams, Slack, etc.) at work - your company likely has access to and a record of these messages. (Just something to keep in mind!)
One partial solution to this is using messaging software that has end-to-end encryption turned on. (For more information on this, Wikipedia has a great entry on the basics of end-to-end encryption.) While end-to-end encryption isnβt a 100% guarantee or solution, itβs definitely a step in the right direction! One app that provides a high level of security is Signal. You can see a review of the security of different messaging apps on this website. You can also sign up for an email address that has encryption (because a general Gmail address doesnβt!). But, as the saying goes, a good rule in life is to be careful what you put in writing.
Final thoughts
Why share all this information? It is a bit of a strange topic for a health provider. But I think itβs important for patients to understand both how I think about protecting their privacy and what my legal limits for that are. Your medical records (both at my clinic and in other medical offices) are protected, but they can be subpoenaed or acquired for a wide variety of reasons.
I also want people to know that these are things I keep in mind all the time: when I write my forms, when I do my charting, and when I communicate with you (and others!). There may be questions that I donβt ask on a form because they are not necessarily relevant to your care. Some things are unnecessary for me to chart because, again, itβs not important - itβs plenty specific for me to say βcondition worsens due to work stressβ without summarizing the details of a story you told me.
But, zooming out from my practice specifically, these are also good points to remember when interacting with the healthcare system in general. HIPAA does provide some protection, but itβs often not as much as we think! (Think of it more as a wall with a gate rather than an impenetrable shield.) And, our own personal actions are important too - whether that is how we communicate the information in our everyday life or what we choose to share.
Questions? As always, feel free to reach out! If youβre a patient, you can always review the most current version of the HIPAA & Privacy form youβve signed in the patient portal.
Related Posts
