Contrary to popular belief, it is not always necessary to obtain written authorization from a patient to share their PHI. HIPAA regulations allow for the disclosure of PHI to appropriate individuals in the course of patient treatment, payment, and health care operations. For example, you do not need patient permission to send a consultation letter or to fax records to another provider that is treating a mutual patient. Likewise, you may transmit patient information to third party payers in the process of filing claims for payment. Similarly, it is allowable for faculty not directly involved with the care of a given patient to have access to that chart in the EHR for peer review since that is a commonly accepted health care operation.

There are a number of instances where a patient’s identity or personal information may not be kept completely confidential within the course of a visit to the clinic. Certain incidental disclosures of a patient’s identity are permissible under the privacy rule provided that reasonable efforts are made to avoid unnecessary sharing of information. For example, patient sign-in sheets are acceptable provided that only the patients’ names are listed and don’t include information such as the medical reason for visit. Calling out a patient’s name in a waiting room is also considered a permissible incidental disclosure. Similarly, conversations that occur in common areas, such as check-in, check-out, or shared testing areas (like a pretest room), are allowed, provided that reasonable precautions are taken, including using lowered voices and avoidance of discussing invasive personal medical questions.

One area where the college is particularly vulnerable for violating the incidental disclosures measure is in the transfer of paper documents from department to department. Currently, many documents containing PHI (like routing slips or patient billing) are transmitted in stacks of paper that are often left unattended in staff members’ inboxes or in the faculty/staff mailroom. While transferring these documents to another staff member is allowed as part of normal healthcare operations, leaving open documents unattended in a public workplace does not provide reasonable protection for the PHI. We are currently investigating the use of specially designed closable interoffice envelopes to transmit PHI to address this concern to avoid a potential violation. Stay tuned to future announcements about the implementation of this new protocol.

Do:

• Once the information has been recorded in the EHR, always dispose of any documents containing PHI in shred bins located in each consult room. This includes health history forms, visual field printouts, hand written notes, printed patient schedules, etc.
• Report any suspected HIPAA violations to HIPAA Privacy Officer Cathy Beatty or HIPAA Security Officer Geoff Wiggins and include the following:
  • Who: persons involved including reporting person, witnesses, person affected and contact information
  • What: patient information revealed outside of normal job duties and scope of assigned care (anyone not involved in a patient’s care should not access their information)
  • Where: location – room, software program, social media, personal storage device, paper, verbal conversation
  • When: date and time of incident
  • Method: how information was accessed

Don’t:

• Never use a personal mobile device such as a cell phone, camera, etc. to capture or transmit any PHI through the course of a patient visit. There are strict technical safeguards (encryption, tracking, data recovery) that must be in place to manage any electronic PHI. Therefore, personal electronic devices are prohibited from containing any PHI.
• Do not post any PHI, including photographs or any patient identifiers (name, date of service, diagnosis) pertaining to patient visits, to any personal social media platform. Friends and family members that serve as patients are still patients and all HIPAA privacy standards apply. If patients want to take pictures of themselves getting an exam, they may do so on their own personal phones and they may post it on their own personal sites. Use of any such photo on a college social media page requires written patient consent.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/frequently-asked-questions.page