Need to Know: Protecting Patient Healthcare Information (PHI)
n 1996 the Health Insurance Portability and Accountability Act (HIPAA) was developed to protect patient's rights and confidentiality. In the ever-increasing world of technology, it is important to ensure that only those who need to know to have access to patient information.
HIPAA Was Enacted to Cover Three Specific Areas:
- Insurance portability or the ability to move to another employer and be certain that insurance coverage will not be denied
- Fraud enforcement and accountability
- Administrative simplification - guidelines for communication with other providers, families, friends, and the media
The overall intent of this act is to make it easier for the consumer to obtain seamless care, irrespective of the number of different providers they see; while still protecting the confidentiality and privacy of the patient. HIPAA provisions include all employees, such as nurses, pharmacists, physicians, and administrative, clerical, food service, and environmental services staff. The adherence to HIPAA policies also applies to volunteers and any other person under the facility’s direct supervision (HIPAA Survival Guide, 2018).
To resolve the issue that some of the largest breaches reported to Human and Health Services (HHS) have involved business associates, changes were made to the HIPAA law in 2013 to expand the HIPAA requirements to business associates such as contractors, outside laboratory or imaging services, baby photographers, and computer technicians among others (HHS, 2015).
Additionally, The 2013 Changes Include:
- HIPAA guarantees patients’ rights to inspect their own medical records, correct errors, inquire who has access to their records, and seek penalties if their medical information has been used inappropriately.
- Patients may also request an electronic copy of their medical record, and they have the right to state that their provider does not share information about their treatment if they pay cash for that treatment (HHS, 2015a).
So, what is PHI? PHI is any personal information transmitted and/or maintained in any form, including prescription records, billing information, patient profiles, and oral communications on the phone or during counseling. It is important to know that this information is protected in any form, be it written, electronic or verbal.
All patients must receive a copy of the Notice of Privacy Practices. The organization must also make a good faith effort to obtain a written acknowledgment that the patient received the Privacy Notice.
When Can PHI be Disclosed under HIPAA?
- Treatment of the patient (e.g. consulting with other healthcare providers on diagnosis and treatment)
- Obtaining payment from the patient’s health plan
- Operational requirements (e.g. quality improvement activities or peer review)
- Complying with legally mandated reporting or disclosure
The patient must provide consent or further authorize any other release of information for any other purpose.
HIPAA demands and limits the use and disclosure of personal health information to a “minimum necessary” standard for any communications other than the purpose of treatment. This ensures that patient privacy will be protected by disclosing only the least amount of information necessary for another healthcare professional to perform their job. Thus, a Pharmacy Technician or Nursing Assistant (CNA) may need access to some information to allow them to fulfill their duties, but do not need access to full medical records.
For more information regarding what HIPAA means to you as a healthcare professional, review the RN.com course: An Overview of HIPAA for Healthcare Professionals.
HIPAA Survival Guide (2018). HITECH Act Summary.
U.S. Department of Health and Human Services (HHS). (2015). HIPAA - General Information.
U.S. Department of Health and Human Services (2015a). Where can I find information about HIPAA, health information privacy or security rules? Guidance Materials for Consumer.