1. Do the Privacy Rules prohibit the calling of patients' names in waiting rooms?

No. This is one of the HIPAA myths of the Privacy Rules which was dispelled in the July 2001 Guidance issued by DHHS. Simply calling a patient's name in a waiting room is not a violation of the Privacy Rules because no health information is being used or disclosed. However, if the staff member calls the patient's name and then says out loud in front of others who may be in the waiting room, "so Mrs. Jones, I see that you are here for another mammogram today," PHI has been disclosed in violation of the Privacy Rules. Staff must learn to be discreet in the comments that they make in front of persons who are not authorized to know such information.

2. If our business associate uses or discloses PHI in an inappropriate way, will we be held responsible?

No, but with an exception. A healthcare provider will not be held responsible for a business associates' unauthorized use or disclosure of PHI, unless the healthcare provider learns of the violation and fails to take action. Upon learning of the violation, the healthcare provider must take reasonable steps to cure the violation and, if such steps were not successful, the healthcare provider must (i) terminate the business associate agreement, if feasible; or (ii) if termination is not feasible, report the problem to DHHS.

3. If I am a radiologist, do I need to get the patient's consent before reading her x-ray films?

No. Radiologists are indirect treatment providers and therefore do not need to obtain patient consent before reading the patient's films and sending the results to the patient's direct treatment provider. For a more detailed discussion of who needs to obtain consent, see Chapter IV of the Reference Manual.