Do you know how to safeguard protected health information?

Recent breaches have renewed focus on preventing patients’ private health information from getting into the wrong hands.

This past year Asante has had incidents where individuals, who are not the patient or related to a patient, called to request information on one of Asante’s patients. In one instance the caller was impersonating a health care worker; in another, the person was impersonating the patient.

One of these individuals was successful in getting an employee to disclose protected health information inappropriately.

As a result, Asante is required to train our workforce on appropriate safeguards for protecting protected health information, or PHI. While Asante has a variety of policies to address protecting PHI, this re-education serves as a reminder to all employees.

Reasonable safeguards for PHI are precautions that a prudent person must take to prevent an inappropriate disclosure of protected health information. Safeguards must be applied when working with PHI in all forms — verbal, paper and electronic — to prevent unauthorized uses or disclosures of PHI.

Tips for safeguarding PHI: verbal disclosures

Apply reasonable safeguards when verbally discussing PHI. When you work with a patient, first determine who is with the patient before discussing PHI. Second, do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure. Finally, you may ask the person to leave the room, providing the patient an opportunity to object.

There are certain verbal disclosures that are not permitted without the patient’s permission (e.g., others involved in health care or valid authorization). One example is disclosures to employers. Asante may not disclose PHI to a patient’s employer without the patient’s permission or authorization.

Policies to review:

  • HIPAA Patient PIN Number, 400-IS-CMP-0210, primarily applies to inpatients. Callers who have a patient’s PIN can receive additional information beyond normal one-word condition (unless the patient is No-Pub/Private Encounter).
  • Others Involved in Healthcare Form, 400-IS-CMP-0005, allows staff to discuss health information (verbally) with friends and family or leave care-related messages for outpatient and administrative purposes.
  • Do Not Publish, 400-PT-ACCESS-0004, gives patients the right to opt out of the directory. Asante may not disclose information for patients who are marked No-Pub/Private Encounter.

Tips for safeguarding PHI: paper

Reasonable safeguards must be applied when handling paper products with PHI to prevent inappropriate disclosures. Staff must dispose of all paper products that have PHI in a shred bin once they are no longer being used. Workforce must make every effort to give patients their correct documentation. Each page should be checked before giving or sending PHI to the patient.

Policies to review:

  • Disposal of Sensitive Information, 400-IS-CMP-0052, describes what material should be shredded and how the shred bins are to be kept secure.

Tips for safeguarding PHI: electronic

Staff members must password-protect computers and use only the computer accounts to which they are assigned.  Workforce must consider the use of encryption when sending email or texts that contain PHI.

Policies to review:

  • Information Privacy & Security, 400-IS-CMP-0002, defines the responsibility of all Asante staff members to use only their authorized unique system logins and password. Email encryption instructions can be found here or on myAsanteNET.

Following these safeguards to protect PHI help prevent patient privacy and policy violations. For questions, comments or concerns, please email the Asante Privacy Program at pr*****@as****.org.

Tags: compliance, electronic, HIPAA, print, privacy, protect, protected health information, verbal
Cheney Family Place is taking guests again
For healers who may need healing

If you have a question, please contact the author or relevant department directly.

2 Comments. Leave new

  • It would be nice if there were a link to the “others involved in healthcare” form like the links for care everywhere and my-chart so that it would be easier and quicker to access when patient family members call in. Perhaps it could be programmed to auto populate the link when the completed form is scanned into the documents tab. Currently the only way for my department to quickly access this form is to go to the appt desk, go to patient options, scroll down to registration, and then go to documents in the left side bar and click on the link for the form. I work in the imaging department and we work mainly in Ancillary Orders to schedule patients so a quick link would be an amazing time saver for those of us who have constant contact with patient families to avoid having to make them wait while we go through that process to access the form.

    • Carla, that is excellent idea. I would recommend getting with your department’s Epic Key User and submit an Epic Enhancement request via MyTech.


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed


Popular related content