By Bonnie Darves

Despite the reams of information that have been published on what the Health Insurance Portability and Accountability Act (HIPAA) privacy rule does and does not mean, confusion still reigns regarding several aspects of the new rule.

Here are some common myths about the HIPAA privacy rule that continue to confound physicians and their staff:

Myth: HIPAA prohibits using patient sign-in sheets or calling out patients' names in waiting rooms. Physician practices may still use patient sign-in sheets and call out patients' names—provided the information disclosed on the sheet or in the announcement is appropriately limited. Sign-in sheets cannot contain a patient's Social Security or phone number, for example, or requests for a description of the problem that brought the patient into the office.

Myth: Prescriptions, medical records and test results such as X-rays can be picked up only by the patient. Pharmacies that prohibit someone other than the patient from picking up prescriptions "are acting on their own policies, not the rule's requirements," said Pamela Waymack, managing director of Phoenix Services Managed Care Consulting in Evanston, Ill. "The HIPAA privacy rule explicitly provides that this common practice can continue."

The rule also allows physicians or staff to hand off medical records and test results to individuals other than the patient. But practices should take care to correctly identify the individual picking up any patient items and, if possible, obtain the patient's permission before releasing them.

Even without authorization, the HIPAA privacy rule allows physicians to release such items if they think that doing so is in the patient's best interest.

Myth: Physicians who disclose medical information to other physicians for treatment purposes must meet the "minimum necessary" standard. Early versions of the privacy regulations required health care providers to use that standard. But Chicago health care attorney Michael R. Callahan, JD, said that the final version of the rule allows providers to share patient information for treatment, payment and operations with all providers involved in a patient's care.

Physicians or other providers should, however, have a specific reason for requesting the records. In addition, most disclosures and requests for medical records should be tracked.

There are exceptions, according to Stephen G. Pauker, MACP, vice-chair of the department of medicine at Boston's Tufts-New England Medical Center and the privacy officer for his medical group. Routine discharge summaries to referring physicians or referral forms to another facility don't need to be tracked, he said, and physicians don't need to document the reporting of procedures or test results to a referring physician.

Myth: HIPAA prohibits, or at least discourages, the use of e-mail between physicians and patients. While that's not true, physicians should try to use e-mail systems that encrypt messages whenever possible. They should also avoid including patient health information unnecessarily in electronic exchanges.

Reece Hirsch, JD, a San Francisco health care privacy and security attorney with Sonnenschein Nath & Rosenthal LLP, pointed out that HIPAA does not specifically call for encrypting e-mail that contains health information. At the very least, he said, physicians should use password-protected systems for those exchanges. He also stressed the importance of advising patients of the possible risks of discussing health matters via e-mail and of obtaining their consent.

Because there is always a risk that the contents of e-mail can fall into the hands of unintended people, Mr. Hirsch said, physicians should ask patients to agree to and be willing to take that risk.

Dr. Pauker, for example, has developed a patient-clinician consent form that asks patients to explicitly authorize him and his colleagues to exchange e-mails discussing their health. The form gives patients guidelines, telling them to not use e-mail to discuss urgent matters, emergencies or sensitive topics such as treatment for AIDS or sexually transmitted diseases. The form also lists the potential risks and indemnifies the medical center should the information reach unintended parties.

Myth: Privacy breaches and incidental information disclosures must be reported to the Office of Civil Rights. Despite rumors of a secret "HIPAA police," physicians are not required to report incidental disclosures in which someone unwittingly or unintentionally gains access to patient health information. (If a patient walking down the hall overhears a conversation between a nurse and a physician, for example, no action is required.)

More serious breaches, however, require documentation. Ms. Waymack suggested using a central log rather than including the details in patient records where they might be difficult to track down or remember. Practices are also required to remedy the situation that led to the breach.