Do you know how to safeguard protected health information?
This past year Asante has had incidents where individuals, who are not the patient or related to a patient, called to request information on one of Asante’s patients. In one instance the caller was impersonating a health care worker; in another, the person was impersonating the patient.
One of these individuals was successful in getting an employee to disclose protected health information inappropriately.
As a result, Asante is required to train our workforce on appropriate safeguards for protecting protected health information, or PHI. While Asante has a variety of policies to address protecting PHI, this re-education serves as a reminder to all employees.
Reasonable safeguards for PHI are precautions that a prudent person must take to prevent an inappropriate disclosure of protected health information. Safeguards must be applied when working with PHI in all forms — verbal, paper and electronic — to prevent unauthorized uses or disclosures of PHI.
Tips for safeguarding PHI: verbal disclosures
Apply reasonable safeguards when verbally discussing PHI. When you work with a patient, first determine who is with the patient before discussing PHI. Second, do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure. Finally, you may ask the person to leave the room, providing the patient an opportunity to object.
There are certain verbal disclosures that are not permitted without the patient’s permission (e.g., others involved in health care or valid authorization). One example is disclosures to employers. Asante may not disclose PHI to a patient’s employer without the patient’s permission or authorization.
Policies to review:
- HIPAA Patient PIN Number, 400-IS-CMP-0210, primarily applies to inpatients. Callers who have a patient’s PIN can receive additional information beyond normal one-word condition (unless the patient is No-Pub/Private Encounter).
- Others Involved in Healthcare Form, 400-IS-CMP-0005, allows staff to discuss health information (verbally) with friends and family or leave care-related messages for outpatient and administrative purposes.
- Do Not Publish, 400-PT-ACCESS-0004, gives patients the right to opt out of the directory. Asante may not disclose information for patients who are marked No-Pub/Private Encounter.
Tips for safeguarding PHI: paper
Reasonable safeguards must be applied when handling paper products with PHI to prevent inappropriate disclosures. Staff must dispose of all paper products that have PHI in a shred bin once they are no longer being used. Workforce must make every effort to give patients their correct documentation. Each page should be checked before giving or sending PHI to the patient.
Policies to review:
- Disposal of Sensitive Information, 400-IS-CMP-0052, describes what material should be shredded and how the shred bins are to be kept secure.
Tips for safeguarding PHI: electronic
Staff members must password-protect computers and use only the computer accounts to which they are assigned. Workforce must consider the use of encryption when sending email or texts that contain PHI.
Policies to review:
- Information Privacy & Security, 400-IS-CMP-0002, defines the responsibility of all Asante staff members to use only their authorized unique system logins and password. Email encryption instructions can be found here or on myAsanteNET.
Following these safeguards to protect PHI help prevent patient privacy and policy violations. For questions, comments or concerns, please email the Asante Privacy Program at [email protected].
If you need answers for a personal work matter, please contact the author or department directly instead of leaving a comment.