• When a patient is present and has the capacity to make health care decisions, a health care provider may discuss the patient’s protected health information with a family member, friend, or other person if the patient agrees or, when given the opportunity does not object. This communication may take place in the following forms:
  • Face-to-face
  • Over the phone
  • In writing
• The health care provider may share or discuss only the information that the person involved needs to know about the patient’s care or payment for care
• If the patient is not present or is incapacitated, a health care provider may share the patient’s information as long as the health care provider determines that it is in the best interest of the patient. This communication may take place in the following forms
  • Face-to-face
  • Over the phone
  • In writing
• Documentation of the patient’s agreement or lack of objection is not required
• Proof of identity is not required if a patient’s family, friends, or others involved in the patient’s care or payment calls the health care provider or entity.

FAQs

Q: May I share a patient’s PHI with the patient’s girlfriend/boyfriend?

A: Always seek permission first from the patient, either verbal or written. Only those who have medical power of attorney, custody of the patient, are their caregiver, or providing payment may receive communications of PHI.

Q: How much PHI may be shared, with friends, family, and others involved in the patient’s care if they meet the exceptions described?

A: Minimum necessary to accomplish the intended purpose.

Minimum Necessary Communication

• Staff should attempt to limit PHI communicated over the telephone.
• Calls/texts should be concise, and limited following the Minimum Necessary Rule (See Minimum Necessary Operating Standard Policy).
• Calls can only be made for the purposes described above.

Requests From or Disclosures to a Caller Stating he/she is a Patient

• If a caller states he/she is patient and he/she is requesting PHI about himself/herself, the employee will only provide the PHI when they have confirmed the caller is the patient
  • The employee will, prior to disclosing PHI, ask specific questions that could only be answered by the patient. For example, the patient’s date of birth, address, and their last appointment.
  • If the employee knows the patient and the patient’s voice, and recognizes the voice on the telephone as being that of the patient the verification is not required.
  • The employee may elect to place a return call to the patient using the telephone number documented in the patient’s file rather than immediately disclosing the patient’s PHI to a caller initiating the telephone conversation.

Exceptions to Communicating by Telephone

• If the caller states he/she is a friend, relative, or acquaintance of the patient, or if the caller is unrelated to the patient (e.g., the patient’s employer, a disinterested third party, a policeman, a reporter, etc.) the employee will not disclose PHI without the patient’s permission.

Calls to a Patient’s Home

• Employees at OSUCOO may not leave messages regarding treatments, diagnostic or testing information on a patient’s answering machine. Individuals leaving appointment reminders may only provide the name of the provider, the office phone number or the location.
• II. In an emergency all efforts should be used to contact a patient and provide important treatment information.

Documenting Disclosures Made Over the Telephone

• If PHI is disclosed to a caller, the employee will document the disclosure. The disclosure should be documented in the medical record or can be maintained in a separate disclosure log
  • Disclosure of a patient’s PHI to the patient or pursuant to the patient’s authorization need not be documented.
  • Documentation of any disclosures of PHI made over the telephone will be maintained for a minimum of six (6) years and may be stored in the patient’s file or a disclosures log. If the documentation of disclosures made is stored in the patient’s file, it would not be considered part of the patient’s file, and would not be provided as part of the patient’s medical record.

Consent to Communicate by Telephone

• Patients should be offered the opportunity to opt either in or out of future communications.
  • This should be documented in the patient’s account.

FAQs

Q: Should faculty, staff, or students leave messages regarding test results on a patient’s voicemail?

A: No. Messages regarding patient care should not be left on a voicemail unless permission has been given by the patient. The message should only be “Please call the College of Optometry at……”

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Geoff Wiggins, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/hipaa/