English
Español
HIPAA
HIPAA stands for Health Insurance Portability and Accountability Act. It is a federal law that:
- Protects the privacy of a patient’s health information
- Provides guidelines for the electronic and physical security of personal and health information
Under HIPAA, a patient has a right to:
- Inspect, review, and receive their health records.
- Protect their health records from employers.
- Protect their health records from family members and friends, unless they are a personal representative, or the patient has given consent.
- Know if their health provider is planning on using or sharing their health information.
This list is not all-encompassing; for a full description visit: The Official HIPAA Site
We must protect an individual’s personal and health information that:
- Is created, kept, filed, used or shared.
- Is written, spoken, or electronic.
HIPAA defines this information as Protected Health Information (PHI)
| Personal Information | Medical Information |
| Name | Diagnoses |
| Address | X-rays |
| Date of Birth | Procedures |
| Age | Prescriptions |
| Phone/fax number | Lab Work |
| Social Security number | Test Results |
| E-mail address | Any other unique identifying numbers |
PHI, in short, is any health information that can be tied back to an individual.
It includes the past, present, or future health status of an individual in relation to the provision of healthcare and payment for healthcare.
PHI is only PHI when an individual could be identified from the information.
If all identifiers are removed, it is no longer protected health information and the HIPAA Privacy Rules restrictions on uses and disclosures no longer apply.
People consider health information their most confidential information, and we must protect it accordingly.
- Do not access information that you do not need
- Do not discuss information with individuals who do not need to know it
- Do not provide information to anyone not authorized to receive it
When using PHI, think about:
- Where you are
- Who might overhear the PHI
- Who might see the PHI
Misusing protected information can result in discipline, legal penalties and loss of trust from patient to clinic.
HB may create, use, and share Protected Health Information ONLY by HIPAA trained personnel and ONLY for:
- Treatment of the patient, including appointment reminders
- Payment, business, and management operations
- Disclosures required by law
HIPAA mandates a Minimum Necessary Rule: This means limiting the amount of information that is shared in order to perform a specific patient related task.
Share only what is needed & relevant.
Each patient must receive a copy of the Notice of Privacy Practices.
A signature is routinely obtained to show that they have been appropriately informed.
The Notice of Privacy Practices must also be found at the patient reception area or by asking any staff member.
For other uses and disclosures of PHI, HB MUST get a signed authorization
from the patient. For example:
- To disclose a patient’s information to another clinic or healthcare provider
- To disclose information to a relative or friend
- To use a patient’s first name and diagnosis in a newsletter
ONLY to do your work!
At all other times, staff are expected to protect a patient’s information as if it were their own information.
Please be especially careful during casual conversations with staff or other volunteers, on site or off.
- Look at a person’s information only if you need it to perform your duties
- Use a person’s information only if you need it to perform your duties
- Give a person’s information to others only when it is necessary for them to perform their duties
- Talk to others about a person’s info only if it is necessary to perform your duties
The Spoken Word
- Conversations in the hallway
- Conversations in public areas
- Retrieving voice mail messages
- Telephone conversations
These are just a few examples of instances where these pitfalls occur. Remember, if someone besides the patient can hear the information, you probably shouldn’t be saying it!
Electronic Privacy
- Shared workstations
- Logging in
- Turning off screens and computers
- Faxes
Monitor your Electronic Privacy vigilantly! Remember, even just a simple glance at PHI that is not by an authorized user could garner a HIPAA complaint.
Security/Paper Privacy
- Leaving EMR up on the computer screen
- Throwing papers with personal information in the trash
- Leaving patient records in non-secure areas
- Leaving papers face up so information is showing
- Not checking photo IDs when a patient is picking up prescriptions or medical records.
- Do not allow unauthorized persons into restricted areas where access to PHI could occur.
- Arrange computer screens so they are not visible to unauthorized persons and/or patients.
- Log off prior to leaving work area, and do not leave computer unattended
- Turn paperwork containing personal/protected information face-down.
- Do not duplicate, transmit, or store protected information unless indicated.
- Do not store protected information removable devices (CD/DVD/Thumb Drives/phones).
If a patient:
- Has a privacy concern — please direct them to a supervising staff member
- Requests to see their medical records — please direct them to a supervising staff member
- Requests a copy of their medical records — please direct them to a staff member
Do not give any copies to anyone without first consulting a staff member
Take action where needed:
- If you believe you have encountered a HIPAA violation, please alert a HB staff member at once
- Please share the details of the violation
We are committed to respecting the privacy of our patients and will actively address the concern.
Copyright © 2024 all rights reserved