HIPAA Do’s and Don’ts

Do

Once the information has been recorded in the EHR, always dispose of any documents containing PHI in shred bins located in each consult room. This includes health history forms, visual field printouts, hand written notes, printed patient schedules, etc.

Report any suspected HIPAA violations to HIPAA Privacy Officer Matt Jewett or HIPAA Security Officer Alex Vu and include the following:

Who: Persons involved including reporting person, witnesses, person affected and contact information
What: Patient information revealed to someone outside of normal job duties and scope of assigned care
Where: Location – room, software program, social media, personal storage device, paper, verbal conversation
When: Date and time of incident
Method: How information was accessed

Don’t

Never use a personal mobile device such as a cell phone, camera, etc. to capture or transmit any PHI through the course of a patient visit. There are strict technical safeguards (encryption, tracking, data recovery) that must be in place to manage any electronic PHI. Therefore, personal electronic devices are prohibited from containing any PHI.

Do not post any PHI, including photographs pertaining to patient visits to any form of social media. Friends and family members that serve as patients are still patients and carry all the same privacy standards. If a patient wants to take a picture of themselves getting an exam, they may do so on their own personal phone and they may post it on their own personal site. Use of any such photo on a college social media page would require written patient consent