Industry News

CMS Clarifies HIPAA Compliance Requirements on Patient Privacy and Medical Record Confidentiality

Richard P. Kusserow | March 2012

The Centers for Medicare & Medicaid Services (CMS) recently issued guidance to State Survey Agency Directors (state surveyors) clarifying the Health Information Portability and Accountability Act (HIPAA) requirements on hospital patient privacy and medical record confidentiality.

If you would like to speak to one of our specialists about HIPAA compliance requirements, please give us a call at (703) 683-9600 or click here to fill out our contact form. We would be happy to answer any questions you may have.

Understanding HIPAA Compliance Requirements

CMS emphasized that hospitals must prevent unauthorized disclosures of patient information, including the patient’s presence in the hospital, demographics, and medical condition.  Hospitals are also required to give patients an opportunity to agree or object to any disclosures of their information.  However, this requirement does not apply to disclosures related to treatment or administrative functions.

CMS further clarified that incidental disclosures that are “limited in nature” and occur due to a permitted disclosure are acceptable.  Hospitals, however, must implement adequate safeguards to prevent these disclosures where possible.  CMS instructed state surveyors to determine whether hospitals implemented appropriate safeguards to minimize the release of patients’ health information through incidental disclosures.  In addition, under HIPAA compliance requirements, hospitals must limit disclosures of medical records to the minimum necessary to provide patient care or payment functions.  CMS instructed state surveyors to determine whether hospitals have adequate policies and procedures to ensure that the minimum necessary standard is met.

The CMS guidance on patient privacy and medical records confidentiality can be accessed at:

Learn more about HIPAA and HITECH compliance requirements.

Centers for Medicare & Medicaid Services. “Hospital Patient Privacy and Medical Record Confidentiality.” Memorandum. 2 Mar. 2012.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.