The mandates of the HIPAA privacy regulation apply to most everyone in the health care industry including physicians, physician groups, health plans, hospitals, pharmacies, clearinghouses, nursing homes and billing companies that transmit any health information in electronic form or have others transmit such data for them. Therefore, if a physician practice has a billing company or clearinghouse transmit electronic data for them, the practice is covered.

The type of record covered by the regulation includes both medical and billing records maintained by or for a physician practice, as well as a patient's demographic information. It also covers records "used, in whole or in part, by or for the [physician practice] to make decisions about individuals." Which records may apply, therefore, will differ from office to office. But generally, most any medical or billing record maintained by a physician practice - whether paper or electronic - is covered by the regulation. This includes information created by or received from another health care provider.

Some mandates of the privacy regulation do not apply to physicians with an "indirect treatment relationship." Such a relationship exists when a physician provides health care services based on the orders of another health care provider and the services or reports are typically provided directly to another health care provider, who then provides the services or reports to the patient. Services provided by pathologists and radiologists are examples of services that may fit into this category.

"De-identified information" is not subject to the requirements of the regulation unless it is re-identified. Information that is "de-identified" is generally information that does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. Physician practices have in the past redacted names, social security numbers, etc, from records to protect the confidentiality of the record when it is released. The privacy regulation, however, is quite specific regarding what information must be redacted before a record is deemed "de-identified" under HIPAA. Infocon can provide a checklist of information that must be removed before a record is "de-identified" pursuant to HIPAA standards.

Under the privacy regulation, a person must be treated as a "personal representative" of an individual if such person is, under state law, authorized to act on behalf of the individual in making decisions related to health care. A personal representative, therefore, may exercise the patient’s rights provided to the patient under HIPAA. A personal representative may exercise such rights when the personal representative has the right under state law to control the patient’s health care decisions.

In Kentucky, a personal representative may act on behalf of a patient when the personal representative is a court-appointed guardian or has been given such authority by a power of attorney. Also, if the patient lacks "decisional capacity" and has not executed a written document directing who should make health care decisions on his behalf, Kentucky law extends "personal representative" status to the following individuals in descending order:

1. The judicially appointed guardian, provided that medical decisions are within the scope of the guardianship;
2. Spouse of the patient;
3. Adult child of the patient or a majority of children if the patient has more than one child;
4. Parents of a child;
5. Nearest living relative; or
6. Executor of a patient's estate.

The personal representative must be treated as the individual only to the extent that protected health information is relevant to the matters on which the personal representative is authorized to represent the individual. Physicians also do not have to give the rights of the patient under this regulation to a personal representative if it is suspected that there is an "abusive situation" between the personal representative and the patient.

When a minor lawfully obtains treatment without the consent of a parent, the minor has the exclusive right to exercise the rights relating to the minor's protected health information relating to the treatment received. Under Kentucky law, minors may obtain treatment without the consent of a parent in the following circumstances:

1. When obtaining diagnosis and treatment for venereal disease, alcohol and other drug abuse or addiction, contraception, pregnancy or childbirth.
2. Any child 16 or older may authorize outpatient mental health counseling.
3. Any emancipated minor, or any minor who has married or borne a child, may consent to care for his or her child or himself or herself.

In such situations, the parent may not exercise the rights of a child to the child's health information for the treatment provided in the given situation. In addition, health information does not have to be disclosed to a parent if a physician reasonably believes that the parent has committed abuse or neglect on the child.