Transcription
HIPAAFrequentlyAskedQuestionsFrequently Asked QuestionsPHI - Protected Health InformationUNIVERSITY OF MICHIGAN HEALTH SYSTEMUpdated 09/23/20131
HIPAAQ: Is PHI the sameas the medicalrecord?FrequentlyAskedQuestionsA: No. HIPAA protects more than theofficial medical record. Lots ofother information besides theofficial medical record isconsidered PHI (e.g., billingrecords, etc.) For example, the factthat a person is a patient here atUMHS is considered PHI. Thus, itwould be a HIPAA violation to tella friend or family member that amutual friend or neighbor wasadmitted to UMHS, unless thepatient gave authorization to do so.2
HIPAAQ: What if I’maccidentallyoverhearddiscussing apatient’s PHIrecord?FrequentlyAskedQuestionsA: This is usually considered anincidental disclosure. It is not aHIPAA violation as long as you takereasonable precautions and discussthe protected health information fora legitimate purpose. The HIPAAprivacy rule is not meant to preventhealth care team members fromcommunicating with each other andtheir patients during the course oftreatment. These "incidentaldisclosures" are allowed underHIPAA.3
HIPAAQ: If I overhearpatient careinformation in theelevator or in thehallway, howshould I handleit?FrequentlyAskedQuestionsA: There are signs in the elevatorsstating that patient informationshould not be discussed. Point tothe sign and remind the speakers ofthe policy. If the conversationclearly violates policies orregulations, report it to the UMHSCompliance Office, and if possible,obtain the name(s) of the speakersso education can be provided.4
HHIPAAIPAAQ: I work in thehospital and don'tneed to access PHIfor my job, butevery now and thena patient’s familymember asks meabout a patient.What should I do?FrequentlyGeneralAskedAccessQuestionsA: Explain that you do not haveaccess to that information, andrefer the individual to the patient’shealth care provider.5
Category 1DisclosuresH IPAA dQuestionsQ: What should I do A: If working with law enforcement is not partof your responsibility, contact yourif a governmentsupervisor or the Health System Legalagency or lawOffice (HSLO) at 764-2178 or the attorneyenforcementon call can be contacted through the hospitalperson requestsoperator. Those who do work directly withinformation aboutlaw enforcement receive special training ona patient?the special rules about disclosing patientinformation to law enforcement authorites.The HIPAA privacy rules are very specificin this area.6
Category 2DisclosuresH IPAA estionsQ: As part of my job, A: Always ask the patient who canreceive this information andI have access to adocument the patient’s response in thepatient’s PHI.medical record. The best way to doHow do I knowthis is to have the patient complete thewhich family andUMHS Family & Friends List Form friends can beone for outpatient and one for eachtold thisinpatient admission. Check with yourinformation?supervisor. In cases where you cannotask (e.g., patient is not present or isunconscious) and there is an no otherdocumentation in the medical record,use your professional judgment.7
Category 2DisclosuresH IPAA HIPAAQ: When I amspeaking to apatient, and friendsor family membersare in the treatmentroom, do I assumethe patient hasgiven mepermission to speakof the PHI in frontof these persons ordo I need to askthem to uestionsA: Do not assume it is okay to speakin from of the other people. Askthe patient if it okay to discusstheir PHI in front of the person(s).If highly sensitive informationneeds to be discussed (HIV statusfor example), then ask theperson(s) to leave the room beforebeginning any discussion aboutthe highly sensitive information.8
Category 2DisclosuresH IPAA estionsQ: If the patient is not A: You will have to decide this on a caseconscious, to whomby-case basis. If you know thecan we disclose thepatient's preferences, as in “you canPHI?tell my spouse, but not my sister,”then document the request and followit. Otherwise, use your professionaljudgment. Always use the MinimumNecessary standard: disclose onlyinformation that is directly relevant tothe person's involvement with thepatient's health care. Once a patienthas regained consciousness, he or shewill determine when and how we canshare protected information.9
Category 2DisclosuresH IPAA HIPAAQ: Can someone elsestill pickup a patient'sprescriptions,x-rays, or dRequiredQuestionsA: Yes, if in the care provider'sprofessional judgment it is okay togive the prescription, x-rays ormedical supplies to thatindividual.10
VerificationH IPAA HIPAARequestsFrequentlyfor PHIbyAskedPhoneQuestionsA: If the request is made by phone,Q: What if I get aand the requester identifies him- orphone call lookingherself as the patient, you can askfor information, andhim or her to provide personalthe caller says it’sinformation for verification, suchthe patient? Whatas his or her UMHS medicalshould I do?record number, birth date, oraddress.11
VerificationH IPAA HIPAARequestsFrequentlyfor PHIbyAskedPhoneQuestionsQ: What about requests A: If you are asked to phone or leaveconfidential information via voiceto leave informationmail, for example, you shouldon voice mail or anverify with the patient or otheranswering machine?approved individual that it is okayto leave messages this way. Makesure you confirm the number, andonly leave the minimum necessaryinformation. Your unit may havemore restrictive policies, so checkwith your supervisor on what isappropriate.12
VerificationH IPAA HIPAAQ: What if I’mnot supposedto leave a message?RequestsFrequentlyfor PHIbyAskedPhoneQuestionsA: If you are asked not to leave voicemessages, do not. This isespecially important with patientswho may not want to share PHIwith family members, roommates,or co-workers. Also, at UMHS,encourage the patient to sign upfor the patient portal (MyChart),which is a good way tocommunicate confidentially withthe patient about upcomingappointment reminders, testresults, etc.13
VerificationH IPAA HIPAARequestsFrequentlyfor PHIbyAskedPhoneQuestionsA: Always leave the minimumQ: How muchpossible amount of information.information is it OKFor example:to leave?“This is the University ofMichigan calling to remind you ofyour appointment on Wednesday,January 8. If you have questionsor need to change yourappointment, call XXX-XXXX.”Notice: No information isincluded about where theappointment is or who theappointment is with.14
VerificationH IPAA HIPAAQ: What if a patientrequests that Icommunicate withhim or her via email?RequestsFrequentlyfor PHIbyAskedE-mailQuestionsA: If your unit has specific policiesregarding e-mail requests, followthem. Otherwise, here are somethings you can do 15
VerificationH IPAA HIPAARequestsFrequentlyfor PHIbyAskedE-mailQuestions1.Make sure that patients understand that e-mail is not secureand there is a risk that a 3rd party could obtain the informationin the transmission.Requests by email cont’d.2. At UMHS, Encourage the patient to sign up for and use thepatient portal (MyChart) which is a secure way tocommunicate with providers.3. Inform the patient to not use e-mail for time sensitivematters, as you may be out of the office or busy taking careof other patients.4. Do not initiate e-mail with patients without first getting theirpermission, and only use the e-mail address they provide,unless they notify you of a change.-cont’d. on next page 16
VerificationH IPAA HIPAARequestsFrequentlyfor PHIbyAskedE-mailQuestions5. If you receive any request via e-mail, don’t assume thesender is the person he or she claims to be, especially if therequest is unexpected. If you have not previously verified ane-mail address with the patient, contact either the patient toverify the sender’s identity and e-mail address, or contact theperson making the request by another method for verificationof the e-mail address. If in doubt, talk to your supervisor. Ingeneral, be careful about sending PHI in response to e-mailsbecause of the difficulty in identifying senders accurately.Requests by email cont’d.6. Minimize the amount of information disclosed in an e-mailcommunication with a patient.17
VerificationH IPAA HIPAAQ: What do Ido if I receivea request for PHI byfax?RequestsFrequentlyfor PHIbyAskedFaxQuestionsA: Most often, faxed requests for PHIwill come from other health careproviders or payers, like billingagencies or insurance companies,although patients may occasionallyask to have information faxed to them.Check with your supervisor aboutyour unit’s procedures for sendingPHI via fax.Note: HIPAA violations easily occurthrough mis-dialing of fax numbers.Click here for more information toprevent this from happening.18
VerificationH IPAA HIPAAQ: What if I receive aPHI on my pager?RequestsFrequentlyfor PHIbyAskedPagerQuestionsA: When communicating viapagers, send only the minimumamount of informationnecessary, and delete receivedmessages once you no longerneed them.19
HIPAAFrequentlyStaffAskedAccessQuestionsA: No. It is against policy to allowQ: I have studentsany staff, including temporaryand/or temporarystaff, to use another employee'sstaff people who willlog in and/or password foronly be here a shortcomputer access. If you allowtime. They needsomeone to use your access,computer access toyou will be held responsibledo their work. Can Ifor what they do. Yourgive them mydepartment's authorized signerpassword or logcan make the request for newthem in as me?accounts.20
HIPAAFrequentlySecurityAskedQuestionsA: If a portable device is appropriatelyQ: What’s the firstencrypted, and it is lost or stolen,thing to do to protectthe information on the device cannotPHIbe accessed without an encryptionon a laptop or otherkey (another password.) Encryptionportable device suchis the best and safest way to secureas a tablet?and protect PHI/ePHI.At UMHS, Contact Medical CenterInformation Technology (MCIT) forassistance with encryption.21
HIPAAFrequentlyDisposalAskedQuestionsQ: How do I dispose of A: Papers containing PHI either needPHI?to be shredded or disposed of indesignated confidential recyclingreceptacles, such as the locked bluebins in many Health Systemfacilities, and not in the regulartrash.Thumb/flash drives, CD-ROMs,Computer hard drives and memorycards (e.g., on fax machines andcopiers) must be physically destroyedor “electronically shredded”. Contactyour IT Support for assistance.22
HIPAAFrequentlyAskedQuestionsCertificate and CreditIF YOU ARE associated with UMHS(the University of Michigan HealthSystem) Please close this window and complete theremainder of the learning activity.IF YOU ARE associated with theUniversity of Michigan (NonUMHS) Click this link to download aprintable PDF certificate.23
Sep 23, 2013 · law enforcement receive special training on the special rules about disclosing patient information to law enforcement authorites. The HIPAA privacy rules are very specific in this area. HIPAA Category 1 Disclosures Patient Autho
