Is it against HIPAA regulations to display a person's DOB at the top of a letter from a provider?

Answer 1

If the information is going from one covered entity to another covered entity, and the receiver has a legitimate and authorized right to get information about the client, then I doubt that having the DOB at the top is a problem (provided that the information follows a secure pathway to the recipient). It might not be the best form to have the DOB there. This is the opinion of a non-attorney. I am an administrator at a social services agency. === === The above isn't exactly 100% true. If the correspondence is going between two Providers who are both treating this patient, where there is no limitation sharing PHI in the interest of treating the patient, this is true. However, if the receiver is a Covered Entity (CE) but not a Provider, the "minimum necessary" rule comes into play, and the sender would need to show why DOB was a requirement for Payment or Operations to occur. If the recipient isn't a Covered Entity, or a support company appointed to support TPO, legally covered under a Business Associate's Agreement (BAA), then including the DOB would be an unauthorized disclosure and a violation of HIPAA. Answer: The compliance acronyms roll right off our lips these days: HIPAA, SOX, PCI. All these and many others are top-of-mind to executives and practitioners throughout the industry. What about the European Union Directive 2002/58/EC, or India's Information Technology Act? As the need to protect data moves from a local to a global concern, many governments are taking notice and have implemented their own versions of data-protection laws. While there are strengths to having this legislation in place, there are several hazards that organizations must be aware of when considering doing business in other countries. === === Interesting response about international privacy law! Very cool. From experience I can tell you that this is typically handled (for better or worse) before the information changes hands -- which has some rather grim medical overtones, if it takes a week or two in order to get your chart if you visit, say, Germany. Nevertheless it's so. By last foray though International Privacy Law garnered quite a harvest. The first and most lasting impressions was that, on an international scale, civilian privacy law was used more as ammunition in political "who's the bad guy?" contests, which makes it into a bargaining chip. The EU policy was pretty much ignored except in the many areas it overlapped Germany and the few areas where it overlapped France. It should come as no surprise that American, Japanese, EU, German and French privacy law are all greatly at odds, and -- expectedly -- not over what you'd think. For instance, the German accusation is that simple citizens in America can legally obtain and distribute sensitive information about individuals, and we don't wall this off, with no small part of that being First Amendment protection. This would sound altruistic to the ear until one notices that the German law makes almost any information about individuals freely available to the Bundesnachrichtendeinst (BND) -- the German version of the FBI, whereas American privacy law makes it somewhat tougher for Law Enforcement to get private information. Who holds the moral highground here, I'll leave for you to decide. France, on the other hand, forbids its civilians the use of encryption altogether (naturally this doesn't include banks or that ridiculously flawed "Smart Card" they've been trying for nearly two decades to make work). It's hard for me to say the rights of others are being protectec when one is forced to make everything they say or write easily available to anyone with a writ or the technology to listen in illegally. Fortunately for business, the laws are sufficiently muddled that charges of illegal privacy breach are only leveled as bargaining chips, at least for now. It's not jingoism that makes me say that -- for now -- I'm happiest with the US privacy laws simply in that there was a strong protection allowing me to use serious encryption. You could argue that DMCA overrides that, but it hasn't in the courts. Not yet.