Get certified in HIPAA for just $29.95.
To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video
DOCTOR WILSON: Thanks, ladies, for coming and speaking with me today, I appreciate that. We do have a couple of things that we do need to discuss. Um. I received a call from a patient stating that they overheard you talking about another patient’s health information. MARY: I am so sorry. I didn’t think we could be heard. Sorry. DOCTOR WILSON: And that’s understandable. Through the course of our day, we’re trying to get things done, and we’re trying to relay information. We just need to make sure that we follow our policies and procedures, and that we have those conversations in a private place so that other patients cannot hear us. Another thing that I wanted to mention is, Mary, I received an SMS text from you regarding the patient that you were going to reach out to, and her diagnosis, and it was great to receive that to be notified that you were reaching out to that patient. But it should have been through our secure texting app because it still is considered patient privacy. MARY: Yeah, I mistakenly sent it SMS because I was in a rush, so I didn’t use the secure app. DOCTOR WILSON: And hopefully there wasn’t any harm done this time at all. But it is something that I’m going to have to speak to our privacy officer about. I know some days it’s just going to be very hard to take out a moment to walk into another room where patients can’t hear you. But we need to make sure that we start practicing those steps to make sure that we’re keeping our patients’ information safe. PRIVACY OFFICER JENNY: Hi Doctor Wilson! DOCTOR WILSON: Hey Jenny! PRIVACY OFFICER JENNY: Have a seat! DOCTOR WILSON: Thank you! I wanted to talk to you, because we’ve had a couple of incidents and I wanted to make sure that our policies and procedures were in place and we’ve had our updated HIPAA training. PRIVACY OFFICER JENNY: Oh, of course. Let me look for the book of evidence, which has our policies and procedures, to make sure that we are HIPAA compliant. DOCTOR WILSON: Thank you, I appreciate that. Can you let me know as soon as you find that out? PRIVACY OFFICER JENNY: I sure can! DOCTOR WILSON: Thank you. ROB: In this scene, the office manager and nurse violated HIPAA compliance laws by speaking about another patient’s health diagnosis in front of other patients. They also sent an unsecured text to the doctor. Now let’s talk about what PHI is, and how to handle it properly. Any information that is individual to your patient, past, present or future, about the care provided, the physical health and mental health of an individual is PHI. This includes documentation of doctor's visits, charts, and notes made by physicians or other provider staff. It also includes health care payments, claim status and coordination of health care benefits. HIPAA covers all forms of PHI including electronic, paper or oral formats. Some people forget that PHI is covered under spoken word. Be mindful when disclosing healthcare information with patients and business associates. Think of PHI as classified information. You have the clearance to see it, and your responsibility is to keep it from falling into the wrong hands at all times. Can PHI be Disclosed for Public Health Activities? Yes. But it’s limited to the CDC, public health authorities at a state or federal level and OSHA. OSHA can request information without authorization or the need of a Business Associate Agreement. Covered entities must reasonably limit PHI to the minimum amount necessary. Only give what you need to provide and nothing more. Remember less is more when it comes to personal health information. Here are some examples of when the government or OSHA can request PHI. In the event of a natural disaster or state of emergency the Federal Government or OSHA can request PHI to determine demographics of the affected area. Why is this? The reason why is so they can mobilize the national guard, first responders, or military personnel to assist in the affected area. If you are contacted by someone from the government, ensure they are legitimate employees. Request a phone number and email address and ask them for a written request.
In this lesson, we'll be going into some detail on what PHI is. At the end of the lesson, we'll dig into when PHI really isn't PHI, or in other words, exceptions to PHI.
In a nutshell, PHI (protected health information) is any information that is individual to a patient – past, present, or future – about the care provided, whether physical or mental, for an individual. This can include documentation of doctor visits, charts and notes made by physicians and other healthcare staff, healthcare payment information, claim status, and the coordination of healthcare benefits.
Pro Tip #1: It's worth noting that HIPAA covers all forms of PHI, including electronic, paper, and even oral/spoken. Many people forget that PHI is also covered under spoken word. Be especially mindful when disclosing healthcare-related information with anyone – other patients, staff, and business associates.
You may recall from the corresponding video for this lesson that one patient overheard two healthcare employees talking about another patient's health information. When in doubt, always assume that someone might be listening. And do everything you can to make sure private conversations take place in private locations.
Think of PHI the way you would classified information. You have been given clearance to see it. But it's your responsibility to keep it safe and from falling into the wrong hands at all times.
Under HIPAA rules and regulations, PHI is considered as any identifiable health information that is used, maintained, stored, or transmitted by covered entities and business associates.
As mentioned above, PHI is health information in any form, including physical records, electronic records, or spoken information. This means that PHI includes health records, health histories, lab test results, and medical bills.
Pro Tip #2: The key point to remember regarding PHI, is that to be considered PHI, it must include individual identifiers, such as patient names, social security numbers, driver's license numbers, insurance details, and birth dates, when they are linked with health information. Demographic information can also be considered PHI under HIPAA Rules.
There are in total 18 identifiers for PHI and these include the following:
The short answer is, yes. However, it's limited to the CDC (Center for Disease Control and Prevention), public health authorities – federal or state – and OSHA. OSHA is unique because it can request information without authorization or the need to sign a business association agreement.
Pro Tip #3: One caveat to remember, though, is that covered entities should reasonably limit the amount of PHI given in these circumstances to what is considered a necessary amount and nothing more. Remember, less is more when it comes to sharing personal health information.
So, why would OSHA request PHI? They could do so in the event of a natural disaster or a state of emergency in an attempt to determine the demographics of an affected area. Perhaps they need to mobilize the national guard, first responders, or military personnel to aid such an emergency.
It's important to remember, that if contacted by someone in the government about sharing PHI, you must ensure their legitimacy. Request relevant phone numbers and email addresses and ask for a written request.
You may be tempted to think that all health information is considered PHI under HIPAA, but this isn't true, and there are some exceptions.
One determining factor is who records the information. A good example of this would be health trackers, such as physical devices worn on the body or apps on mobile phones. These devices can record health information such as heart rate or blood pressure, which would be considered PHI under HIPAA rules if the information was recorded by a healthcare provider or was used by a health plan.
However, under the HIPAA rules, this information only applies to HIPAA covered entities and their business associates. This means that if a device manufacturer or app developer hasn't been contracted by a HIPAA covered entity and also isn't a business associate, the information recorded would not be considered PHI under HIPAA rules.
The same rules apply to education or employment records. Let's say a hospital holds data on its employees, which can include some health information like allergies or blood types. However, HIPAA rules do not apply to this type of information.
Also, it's important to remember that under HIPAA, PHI ceases to be PHI if it's stripped of all identifiers listed above that can tie the information to an individual. When those identifiers are removed, the health information is technically referred to as de-identified PHI, and thus, HIPAA rules no longer apply.