Educate Your Help Desk on Dealing with PHI
Since 1996, HIPAA has held medical offices to strict protocols in handling and dispersing patient’s personal health information (PHI). Strict rules and regulations are firmly in place and enforced to ensure that the handling of PHI in the office follows all the necessary guidelines. This ensures that patient confidentiality of their most critical and sensitive information is always protected.
What is PHI?
PHI is the data that includes all health information including demographic facts that are collected from the patient. Additionally, it also includes any information that is received or created by the medical health care provider, employer, health care clearing-house, and health plan.
All pertinent information includes data on the present, past or future mental or physical health or conditions of the patient. It also includes the provisional payment of medical health care to the patient now, in the past or the future. Any information that can identify the patient outright, or lead one to believe the information could reasonably identify the patient must be fully protected.
HIPAA regulations clearly protect patient information that has been maintained in any type of electronic media, transmitted across any electronic media, or maintained & transmitted using any other hard, digital or any type of medium. These include employment records, educational records and others.
What Needs to Be Protected?
It is important to be educated on each identifiable component of a PHI (protected health information) file. The information that must be protected includes:
- The patient’s name
- All telephone numbers and fax numbers
- All electronic mail addresses
- The patient’s Social Security number
- Any medical record number
- Any medical plan beneficiary number
- The patient’s pertinent information including birth date, date of death, admission date, discharge date, along with any date of appointments.
Security Versus Privacy Health Information
According to HIPAA, privacy is clearly defined as the patient’s right to avoid the disclosure of his or her individual medical health information. Medical facilities typically achieve the maintenance of security and privacy personal health information through extensive procedures and policies.
The medical facility will continually control who will have authorization to gain access to the patient’s data along with exactly how the patient information can be accessed. This includes any disclosure or access from a third party. All HIPAA privacy rules and regulations apply to every patient’s protected health information.
Alternatively, security is defined by HIPAA as a procedure, mechanism or process that is used to protect the privacy of all of the patient’s pertinent physical and mental health information. The security protocol will also include how access to the patient information is controlled, along with all of the safeguards in place. Security protection will provide safeguards against any unauthorized disclosure, destruction, loss or alteration of the protected health information. Traditionally, security protocols in the office are usually accomplished using technical and operational controls set in place by the physician.
Accessing Friends and Relatives Health Information
HIPAA recognizes that access to the system containing patient personal health information is always a privilege. Gaining access to any patient PHI can only be accomplished in the performance of an employee or contractor’s job. Gaining access to the accounts of relatives, coworkers, or friend is strictly prohibited, unless the person gaining access is doing so because of one of his or her job-related responsibilities.
Sign in Sheets
According to HIPAA , a doctor’s office can use the sign in sheets that record the patient’s name, and/or call out the name of the patient in the waiting room, with limitations. All disclosed information needs to be appropriately limited. Discussing or stating any potential test or diagnosis information in public is clearly prohibited. HIPAA allows for incidental disclosures including overheard identities or viewing a patient’s name on the office’s sign in sheet.
Leaving a Message
According to strict HIPAA, any medical facility leaving a message on an answering machine must use reasonable safeguards to ensure the patient’s privacy. This includes limiting the amount of personal or medical information that will be disclosed and left on the answering device. All protocols must be utilized to ensure that any information left and overheard by anyone other than the patient will not compromise PHI protection. No details or insinuations of admissions, surgical procedures, the results of tests and other medical information can be left on an answering device.
Faxing Medical Records
Sometimes, one medical provider will request patient personal health information from another office for the purpose of treatment and/or diagnosis. HIPAA does allow the ability for one office to send the patient information through the mail or by fax. However, every office must confirm the other office’s fax number before transferring the information. If possible, notify the other office to expect the inbound fax, to minimize the exposure of sensitive information and eliminate any unauthorized access or breach.