Many physicians and healthcare practitioners, do not understand the HIPAA law. The key is understanding what is PHI or Protected Health Information. PHI is any payment or medical record that makes the person in question identifiable. Any identifying data, name or email address qualifies. Your patient may request a copy of their records, paper or EMR format. It generally must be provided within 30 days. A patient’s PHI may be shared with other currently treating health care providers.

I have seen way too many violations. Patient paper charts may not be kept unlocked in treatment room closets! EMR patient records should not be left on a monitor in a treatment room for anyone to see. The screen should be closed after each health care provider’s use. The computer access should be individually password protected by health care provider. PHI should only be accessed on a need to know basis.

All of you most likely use third party vendors that require you to use patient names for various reasons; lab tests, radiology, orthotics, billing. You MUST have a signed Business Associate Agreement with each of these parties as they are handling PHI. They must treat it in the same way you do. Joe Jones, who works at the lab, cannot share with Mary Smith that a particular patient had an HIV test or any other PHI.

The details of HIPAA are important, and this column can easily become a chapter or book in and of itself. A good rule of thumb is disclosing nothing that you would not want disclosed about yourself. Make sure your staff knows that too. They will need training. Until next time.

Yours,
Larry Kobak, Esq., DPM