HIPAA Facts and Regulations

Select a Topic


Do we need to get consent to use or disclose information for treatment, payment and health care operations?

HIPAA does not require any consent for the use and disclosure of protected health information (PHI) for Treatment, Payment and Health Care Operations (TPO). However, HIPAA commentary stated that this position was not supposed to impede existing privacy rights for clients. There has been debate about whether New York law does require a general consent for the use or disclosure of PHI for TPO. A general discussion about OMH’s interpretation of this provision is available here – https://www.omh.ny.gov/omhweb/hipaa/faq/privacy.htm. There are still provisions in New York Law that arguably require consent for these purposes. The majority of ACLAIMH’s Members have reported that they always get consent for the disclosure of PHI for treatment updated every six months or on a one-time basis, and that they get consents for disclosure of PHI for payment through the residency agreement (updated yearly). They also give clients the right to revoke consent. Receiving some consent in these cases is best practice.


What is the difference between an individual authorization and consent for release of information?

As discussed above, although HIPAA does not require consent for Treatment, Payment and Health Operations (TPO), it requires specific authorization for many disclosures.   The authorization requires very specific elements, while a consent, since it is not required under HIPAA and New York Law does not discuss what specifically should be included in such consent, does not have specific requirements. Form OMH 11 is a sample of an authorization. The New York State Office of Court Administration Form 990 is another example.

Our agency is the service provider working hand-in-glove with a landlord that is also a not-for-profit agency interested in supporting persons with disabilities in permanent, affordable housing. They maintain a large single-site building, while we provide on-site services. We routinely disclose phi to the landlord because specific units in the building are set aside for people with disabilities, and, at a minimum, the landlord needs to see that a person is eligible. Do we need a consent/authorization to release phi to the landlord? Do we need a business associate agreement?

You should be obtaining an authorization. If your agency is not on the lease, and you do not pay the landlord directly, but you provide the landlord with PHI, you do not need a Business Associate Agreement, and the authorization covers the release.

Our agency works closely with small businesses in our community to place consumers in work. We do not pay the business owners so we do not have a business relationship with them in the traditional sense of us purchasing goods or services. Do we need a consent/authorization or a business associate agreement to bring a consumer to the interview, or to place a consumer in the business?

It is prudent to get an individual authorization. The mere fact that an individual receives services from a mental health provider does disclose PHI about the person. You do not need a Business Associate Agreement because you do not have a business relationship and the authorization covers the disclosure.


What if a client refuses to sign a notice of privacy practices?

HIPAA requires a good faith effort to get a signature. If the client refuses to sign, handle it the way you would normally handle this type of situation, e.g., make a note right on the Notice of Privacy Practices that the client refused to sign, sign and date it, and maintain it in the chart.

The sample notice of privacy has sections that address situations that our facilities just do not have, e.g. A facility directory, marketing, and fundraising. Can we take out these sections if we don’t have a facility directory, and don’t do fundraising or marketing?

Yes. We left it in because some of our providers have facility directories of some sort; e.g. large single site facilities might have a switchboard with a directory, or a small facility might have names on mailboxes that are open to the general public. For these agencies, it is wise to leave this in and to give clients an opportunity to object. Regarding fundraising – if you believe that you will never perform fundraising, you may take it out, but given the fiscal times we are in, you might change your position. On Marketing, if you ever use a client’s name or face on a brochure, in a newsletter, or in an ad, you should leave this in.

Business associate agreements issues: What is a business associate?

In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include:

o claims processing or administration;
o data analysis, processing or administration;
o utilization review;
o quality assurance;
o billing;
o benefit management;
o practice management;
o repricing;
o legal, actuarial, accounting or consulting services;
o data aggregation;
o accreditation services;
o management or administrative services;
o financial services; and
o landlords in certain limited circumstances.

Is a business associate contract required with organizations or persons where inadvertent contact with protected health information may result – such as in the case of janitorial services?

A business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. Generally, janitorial services that clean the offices or facilities of a covered entity are not business associates because the work they perform for covered entities does not involve the use or disclosure of protected health information, and any disclosure of protected health information to janitorial personnel that occurs in the performance of their duties (such as may occur while emptying trash cans) is limited in nature, occurs as a by-product of their janitorial duties, and could not be reasonably prevented. Such disclosures are incidental and permitted by the HIPAA Privacy Rule.

If a service is hired to do work for a covered entity where disclosure of protected health information is not limited in nature (such as routine handling of records or shredding of documents containing protected health information), it likely would be a business associate. However, when such work is performed under the direct control of the covered entity (e.g., on the covered entity’s premises), the Privacy Rule permits the covered entity to treat the service as part of its workforce, and the covered entity need not enter into a business associate contract with the service.

Is a software vendor a business associate of a covered entity?

The mere selling or providing of software to a covered entity does not give rise to a business associate relationship if the vendor does not have access to the protected health information of the covered entity. If the vendor does need access to the protected health information of the covered entity in order to provide its service, the vendor would be a business associate of the covered entity.

For example, a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity. In these examples, a covered entity would be required to enter into a business associate agreement before allowing the software company access to protected health information. However, when an employee of a contractor, like a software or information technology vendor, has his or her primary duty station on-site at a covered entity, the covered entity may choose to treat the employee of the vendor as a member of the covered entity’s workforce, rather than as a business associate.

Is a landlord a business associate, or in the alternative, should we get an individual authorization to do business with landlords?

It depends:

If the landlord knows that the tenant is a consumer of mental health services, and the agency pays the landlord directly, then the landlord is a business associate that was given PHI, and the agency should get a Business Associate Agreement signed (particularly in the case of a landlord in a small building or 2 family house where the landlord becomes involved to some degree in the person’s care, e.g. will alert staff when someone seems to be decompensating); OR

If you disclose to the landlord that the tenant is a consumer of mental health services, but the consumer is on the lease, not the agency, and the agency does not send money directly to the landlord, then it is wise to get an individual authorization from the client to disclose the client’s status to the landlord, but you would not need a Business Associate Agreement; OR

If agency staff is helping the client find an apartment and the landlord is NOT told that the client is a consumer of mental health services and could not reasonable tell such information from the agency staff’s involvement, and the agency has NO business relationship with the landlord, then nothing is required.

Some agencies have reported that they have asked landlords to sign a Business Associate Agreement but they have refused. It would be unrealistic and unreasonable to expect that an agency would break a lease and move a client because of this refusal. Where a Landlord refuses to sign, we would ensure receipt of an authorization.

In the ACLAIMH manual there are two business associate agreements – which should we use?

One is a sample from HHS, which balances the agency and the business associates’ interests. The other is one that was specifically written for ACLAIMH’s members that is more protective of your interests. We provided both for comparison. We recommend you use the specific one and not the one entitled “HHS Sample” but which you use is a business decision.

Designated record set: is the designated record set equivalent to the “clinical record” as we have traditionally understood it to be?

No. It includes the clinical record but is greatly expanded beyond the clinical record. A designated record set is any group of records containing protected health information that may be used to make decisions about individual residents or their treatment. Under the Privacy Rule, designated record sets would include:

o Mental health records maintained by the residential program or a business associate of the residential program;
o Case records maintained by the residential program or a business associate of the residential program;
o Billing records maintained by the residential program or a business associate of the residential program;
o Any enrollment, payment, claims adjudication, and case or medical management records maintained for a health plan or insurer by the residential program or a business associate of the residential program; and
o Any other group of records maintained by the residential program or business associate to make decisions about individual residents.

Are quality assurance reports part of the designated record set?

Residential programs should note that the United States Department of Health and Human Services (“HHS”) has not provided clear guidance on what records would represent records maintained by the residential program or business associate to make decisions about individual residents. HHS has stated that the designated record set includes “records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access [to records].” This suggests that the “catch-all” category could include quality assurance reports, peer review records, and other compliance reports and materials, which, on some level, are used to make decisions about individuals. HHS has also stated, however, that quality assurance records “typically would not be used to make decisions about individuals, and, thus, typically would not be part of a designated record set.” HHS has warned that it does “not agree that records in these categories are never used to affect the interests of individuals.”

Given the contradictory nature of the advice from HHS, each agency must analyze categories of records, decide to what extent the records direct treatment of individuals, and ultimately make a business decision about whether or not to include the records.

Are incident reports or incident review committee meeting minutes part of the designated record set?

They are part of the designated record set to the extent that they may be used to direct treatment but most providers interpret that they are not used in this fashion.

Documents often have other clients’ names on them. How do we handle the potential disclosure of other clients’ information?

Before disclosing the record, other clients’ information must be redacted.

If a client requests access, do we have to show them the entire designated record set?

You should describe the entire set, and ask what parts they want to see. However, you may deny access under very specific circumstances, as set forth in the Manual.

Is the staff log part of the designated record set?

To the extent that it directs or is otherwise used for treatment.

o Some agencies are moving to a loose-leaf binder with dividers by client so that all client related information is in the loose-leaf binder. They will direct staff to keep notes about other residents anonymous. The staff log would then be confined to program related notes.

o If you do not do the above, then any time you show a client the staff log you should be sure to copy the relevant pages and redact information about other clients. You do not have to show the original because you would have to deface it in order to redact it successfully.

Is duplicate information part of the designated record set?


If a client wants access to her designated record set, and there are duplicate records in the set, must we show her all copies of the materials?

Exact duplicates do not have to be shown, but they have to be EXACT duplicates for this rule to apply. If a duplicate is different then both must be made available. For example, copies of actual prescriptions are in the client chart. Those prescriptions may be transcribed onto a medication sheet that is in the chart, onto a supervision log for staff to sign off on when a medication is taken, and on the medication cabinet to indicate quickly the time of day that the medications must be given. All are part of the Designated Record Set. The two lists may be identical, and so both would not be shown. The copies of the actual prescriptions, however, have the doctor’s name and license number so these are not identical to the lists, and the staff supervision log has staff initials, so the log is not identical. One list, the copies of the prescriptions, and the medication log would have to be offered.

Are billing records part of the designated record set?


Does the board of directors have to approve the HIPAA policies?

We would conclude, yes. Boards of Directors are increasingly more responsible for compliance functions in an agency and under OMH regulations (see Part 595.6(d)(7)), the Board of Directors is responsible to approve agency policies, which includes policies related to confidentiality.


We are making sure that our computers do not face doors so that a person walking by cannot see phi on a computer screen. However, in some offices, if the computer does not face the door, it must face the window. To what extent must we insure that a passer-by cannot see in.

Use a common-sense approach. You do not have to insure that no-one who would affirmatively try to look in to see information could possibly see that information. One agency told us about a product called “Insta-Cling – Limo Dark” from Wal-Mart at $11.00 per box. It is a gray plastic film that clings to the window. This would certainly be a reasonable safeguard under the Privacy Rule. This suggestion comes from Human Development Services

Are staff id’s required under HIPAA?


We have specific policies on the use and disclosure of confidential HIV information. Does this change with HIPAA?

For the most part – no. New York law is more stringent than HIPAA on the use and disclosure of confidential HIV-related information and so you should generally continue to follow your current practices. However, there are areas where HIPAA and NY Law must be integrated. ACLAIMH has a Guide To Developing Policies For HIV Information that is part of the manual that was created.

We have clients sign out bus tokens on a running sheet that will reveal to other clients, and anyone who looks at the sheet, that those who signed are in our clinic program. We must have a list to give to Medicaid for payment so we cannot do away with the list. How can we handle this?

Leave out a PEEL AND STICK label sheet, and have the client sign the label. The person giving out the bus tokens can then peel off the label, and attach it to a sheet that she has protected from public view. This suggestion came to us from Clearview staff.

Are our outreach or support programs subject to HIPAA?

Only if the programs provide treatment, bill for it electronically and maintain or create protected health information. Note that if you want only certain parts of the agency to be covered, you would need to organize the agency as a hybrid entity. To become a hybrid entity, the covered entity must designate and include in its health care component all components that would meet the definition of a covered entity if those components were separate legal entities. Within a hybrid entity, most of the HIPAA Privacy Rule requirements apply only to the health care component, although the hybrid entity retains certain oversight, compliance, and enforcement obligations.

I understand that we have to train staff in the fundamentals of HIPAA. Do we have to give them a post-test?

No post-test is necessary. However, you do need documentation of the training.

We often have volunteers and interns working in our offices and programs. Do we have to train them as well?

Yes. Volunteers and interns are considered part of your work force.

We have children’s programs with children between the ages of 10 and 18, and sometimes they are remanded to our programs straight from court without a parent. Who do i give the notice of privacy practices to?

Give the Notice of Privacy to the child. There are instances where an un-emancipated minor can exercise his/her privacy rights. If the minor can consent to the treatment without parent consent, giving the document to the minor is appropriate. If the minor cannot consent to the treatment on his or her own or the parent/legal guardian is involved in the treatment, send a copy to the parent or legal guardian.

We often receive substance abuse information from substance abuse treatment facilities, and we are directed to not re-disclose except in compliance with the law. Does this still apply?

Yes. Substance Abuse Treatment facilities will send information to you but stamped with a notice that is directive in terms of re-disclosure. You then re-disclose in compliance with the law (which is 42 CFR Part 2). HIPAA has NO EFFECT on this.

Do we have to get a business associate agreement from pharmacies?

No. Your interactions with them are “treatment” related and so do not necessitate a Business Associate Agreement.


AND make a difference in the lives of people living with psychiatric disabilities

Scroll to Top