Do:
- Once the information has been recorded in the EHR, always dispose of any documents containing PHI in shred bins located in each consult room. This includes health history forms, visual field printouts, hand written notes, printed patient schedules, etc.
- Report any suspected HIPAA violations to HIPAA Privacy Officer Cathy Beatty or HIPAA Security Officer Geoff Wiggins and include the following:
- Who: persons involved including reporting person, witnesses, person affected and contact information
- What: patient information revealed outside of normal job duties and scope of assigned care (anyone not involved in a patient’s care should not access their information)
- Where: location – room, software program, social media, personal storage device, paper, verbal conversation
- When: date and time of incident
- Method: how information was accessed
Don’t:
- Never use a personal mobile device such as a cell phone, camera, etc. to capture or transmit any PHI through the course of a patient visit. There are strict technical safeguards (encryption, tracking, data recovery) that must be in place to manage any electronic PHI. Therefore, personal electronic devices are prohibited from containing any PHI.
- Do not post any PHI, including photographs or any patient identifiers (name, date of service, diagnosis) pertaining to patient visits, to any personal social media platform. Friends and family members that serve as patients are still patients and all HIPAA privacy standards apply. If patients want to take pictures of themselves getting an exam, they may do so on their own personal phones and they may post it on their own personal sites. Use of any such photo on a college social media page requires written patient consent.