Privacy, HIPAA, Medical Records, and You

FAQAdministrative
Written By Kate Thomas
Picture of a laptop on a light wood desk. The screen is black.

Conversations around privacy, especially in a healthcare setting, have come up often lately, and I wanted to share some of the thoughts and philosophy I have around it as a practitioner - and a journal entry here seemed like the easiest way. (It definitely isn’t a topic that I can boil down to an Instagram caption!) Some of this may seem like a bit of an odd topic, coming from an acupuncturist, but I hope the information is useful to you, and also gives you an idea of what I am thinking about while operating my practice!

My philosophy

Des Moines can often feel like a small town where everyone knows everyone, so it’s really important to me that patients understand that their health information, stories, and other things they share with me are private. My philosophy boils down to this: I prioritize patient privacy whenever possible - not just to follow HIPAA, but also as a matter of principle. This means:

  • I don’t share that you are (or aren’t!) my patient with anyone, even your family members, without your consent. I don’t take insurance and I always require payment at the time of service, so this information also won’t reflect on bills in the mail or on statements from your insurance company.

  • By extension, I don’t share when your appointment times are with others. Some people like coordinating appointment times with friends or family, which is great! But that is something you will need to work out together (I suggest sitting down with the booking software together and picking your appointment times.)

  • I don’t discuss your health history or other information you tell me with others, whether that is a family member, friend, or just a random community person. This should go without saying, but I’m saying it anyway! This includes conversations within the clinic or out in the community. I have a pretty decent poker face, and will generally act as though each time I hear a story, it’s the first time. (And, sometimes with ADHD, it feels like it is! 😂)

  • I require written permission to release records or discuss your case with other healthcare providers or with designated individuals (such as family members). This is normal in the health care setting, and you may have filled out these forms before at other providers’ offices. You may want to release records so that I can coordinate your care with another provider, or so a family member can help keep track of your healthcare.

  • I won’t discuss your care with you in public settings. If I see you in around town, I won’t ask you about something you’ve shared with me in the clinic.

  • I don’t text you about your health because text messages are not encrypted (more on this in a minute) and aren’t HIPAA compliant. If you want to change appointment times or cancel appointments, you can text me, but emailing or visiting the booking software is more secure. I ensure my booking/charting software and email are HIPAA compliant.

  • I use a VPN for all my internet traffic when doing any booking/charting. If you don’t know what that means, don’t worry about it (or watch this 5-minute YouTube video here, if you’re curious) - just understand that it provides more security to my internet traffic.

Basically, wherever and whenever it is an option, I err on the side of protecting your privacy. This is sometimes frustrating to people, but it is more important to me that patients know the information they share with me is confidential.

Privacy Limitations

But, it is crucial to understand that there are limits to patient privacy that are not in my control. These limits actually apply to almost all healthcare providers, so it’s generally good information to keep in mind! These limits are described in the HIPAA/privacy form that you sign before your first visit, but for clarity, I’ll highlight a few points here:

I am considered a mandated reporter by the State of Iowa. This means I am required to report if it appears that a child or dependent adult/elder is being neglected or abused. For more information on this, visit Iowa’s website on Mandated Reporting (https://hhs.iowa.gov/child-welfare/mandatoryreporter).

Additionally, I am ethically bound to report if you share that you have a plan to harm yourself or others. This is pretty self-explanatory.

Medical records (including those created during your acupuncture treatments) can be subpoenaed in certain circumstances. There are actually many circumstances that your medical records could be requested for law enforcement purposes; to read more on that, visit the US Health and Human Services website. While I will, of course, consult with my attorney, in the end, I can’t just choose not to turn over records if subpoenaed.

Encrypting messages

There have been some news stories lately discussing people who were charged and/or found guilty of crimes due to having their Facebook messages obtained by law enforcement, which brings up an important issue to take into consideration.

Messaging software or apps (like Facebook Messenger) that we use aren’t automatically protected and people could either intercept them and/or the company can have a record of them. This means your messages could also be obtained by law enforcement, or even by others, depending on the situation. Another example is using messaging apps (like Teams, Slack, etc.) at work - your company likely has access to and a record of these messages. (Just something to keep in mind!)

One partial solution to this is using messaging software that has end-to-end encryption turned on. (For more information on this, Wikipedia has a great entry on the basics of end-to-end encryption.) While end-to-end encryption isn’t a 100% guarantee or solution, it’s definitely a step in the right direction! One app that provides a high level of security is Signal - and I do have this set up with the clinic phone number if you absolutely must text me something on the more personal side. You can also sign up for an email address that has encryption (because a general Gmail address doesn’t!). But, as the saying goes, a good rule in life is to be careful what you put in writing!

Final thoughts

Why share all this information? It is a bit of a strange topic for a health provider. But, I think it’s important for patients to understand both how I think about protecting their privacy and what my legal limits for that are. Your medical record (both at my clinic and in other medical offices) are protected, but they can be subpoenaed or acquired for a wide variety of reasons.

I also want people to know that these are things I am keeping in mind all the time: when I write my forms, when I do my charting, and when I communicate with you (and others!). There are certain questions that I don’t ask because they are not necessarily relevant to your care. There are also some things that are unnecessary for me to chart because, again, it’s not important - it’s plenty specific for me to say “condition worsens due to work stress” without needing to summarize the details of a story that you told me.

But, zooming out from my practice specifically, these are also good points to keep in mind when interacting with the healthcare system in general. HIPAA does provide some protection, but it’s often not as much as we think! (Think of it more as a wall with a gate, rather than an impenetrable shield.) And, our own personal actions - whether that is how we communicate the information in our everyday life or what we choose to share - are important too!

Questions? As always, feel free to reach out! If you’re a patient, you can always review the most current version of the HIPAA & Privacy form you’ve signed in the patient portal.

Kate Thomas
Previous

New Patient Software Updates (from Jane to Practice Better)
Next

Licensed Acupuncture and Chiropractic Acupuncture - What’s the difference?