Office of Compliance Programs
Protecting PHI for Clinical Staff and Students
Revised: July 10, 2018
Introduction
HIPAA requires that LSUHSC-NO "have in place appropriate
administrative, technical, and physical safeguards to protect the
privacy of protected health information." {45 CFR 164.530(c)(1)}
The HIPAA Privacy Rule
A covered entity (e.g. LSUHSC-NO and its faculty, staff and
students) may not use or disclose protected health information
(PHI) about a patient without that patient's written authorization unless the use or disclosure falls under
one of the exceptions.
What is PHI?
PHI consists of two parts:
- Information that personally identifies the patient (e.g.
name, SSN, MRN, DOB, Date of Service, genetic information, etc.)
- Any information, including genetic information, whether oral or
recorded in any form or medium, that:
- Is created or received by a health care provider, health plan,
public health authority, employer, life insurer, school or university,
or health care clearinghouse; and
- Relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health care to
an individual; or the past, present, or future payment for the
provision of health care to an individual.
What Form Does PHI Take?
PHI can be in any format, including but not limited to:
- Verbal (e.g. conversations, recordings, etc.)
- Written (e.g. computer printouts, handwritten or typed notes,
filled out
forms, photographs, etc.)
- Electronic (e.g. EHRs, spreadsheets, databases, digital images,
online forms, etc.)
Where Can PHI Be Found?
Depending on the format, PHI can be found in:
- Electronic Health Records
- File cabinets
- Desks (e.g. papers, desktop computers, etc.)
- Hallways, waiting rooms, elevators (e.g. conversations with
others or on the phone, notes dictated for transcription, etc,)
- Spreadsheets, Word documents, PDFs, databases, etc.
- Pockets (e.g. Notebooks, smart-phones, flash drives)
- Mobile devices (e.g. laptops, tablets, USB portable hard drives,
etc.)
- Network file servers
- Printers, copiers, fax machines
Protecting PHI
We have an obligation to protect the privacy of LSUHSC-NO patients.
Simple acts can have serious consequences. What are some of the ways to
help insure PHI is protected?
Do you REALLY need to use PHI?
While using and disclosing PHI is essential for treating patients,
there are many tasks that can be accomplished without using PHI. For
example, the statement, "Mr. Carbuncle is ready to have his boils
lanced," contains PHI. However, the statement "Mr. Carbuncle is ready
for you in Room 3," does not.
Many times the use and disclosure of PHI can be reduced by simply
choosing to use and disclose health information OR use and disclose
identifiers, but not both. Most hospitals have banned using texts or
email to communicate PHI. When the identifiers are separated from the
health information, it is no longer PHI and can be sent safely.
In the example below, a resident has sent a text to an attending physician
regarding a patient's lesion. The photograph does not include the
patient's face or any unique identifying marks such as scars or
tattoos. The text does not include the patient's name or any other
identifiers. For that reason, the text does not contain PHI and is not
subject to HIPAA.
The resident then calls and discusses the case with the attending physican. He
can clarify any identifiers during the call.
Scenario 1
Dr. Capaldi, a second year resident, is working the evening shift at
Our Lady of Perpetual Sorrows Hospital. He is concerned about some lab
values on a recently admitted patient. He phones the attending on call,
Dr. Hartnell, to discuss his concerns but the list of lab values is too
long to relate over the phone. Dr. Hartnell instructs Dr. Capaldi to
text him the lab values. Our Lady of Perpetual Sorrows has a strict ban
on texting PHI so Dr. Capaldi takes a photograph of the lab values and
carefully crops out all the patient identifying information (name, MRN,
etc.). He then texts the picture to Dr. Hartnell. Afterwards, Dr.
Capaldi deletes the photograph from his phone. Has Dr.Capaldi
violated the hospital's ban on texting PHI?
Hover your mouse over or
tap your finger on the box below to see the right answer. (Tap on any
picture to make the answer
disappear.)
Yes
No
Redaction
Another method of separating identifiers and health information is redaction. Redaction is the process
of obscuring or removing information from a document or record. It is a
difficult and painstaking process to do correctly on existing documents
and records.
- ALL
instances of the information (e.g. name) and indirect references (e.g.
mother’s name) to the information must be identified and redacted.
- The redaction method must render the redacted information
unrecoverable.
In many cases, redaction is needed to prevent sensitive information
from being breached.
- Records request (from someone other than the patient)
- Legal discovery
- Research
- Publication
Physical Redaction
Physical redaction is applied to paper records and analog
recordings. Methods include:
- Excising (cutting) the printed or recorded information with a
knife or scissors.
- Erasing magnetically information from recordings.
- Obscuring information with a special redaction marker.
When excising, be sure to collect all the cuttings and ensure they
are destroyed by shredding or incinerating. When blacking out sections
of paper documents ensure that information has been completely obscured.
- Use a marker especially designed for redaction.
- Shine bright light on and through the paper to ensure that the
underlying information cannot be viewed.
- It may be necessary to blacken both sides of the paper or
photocopy the blackened page and substitute the photocopy to ensure the
underlying information cannot be viewed.
Digital redaction
Digital redaction is extremely difficult to perform correctly. Most
computer programs are designed to preserve information, not destroy it.
The majority of computer programs used for editing text do not have a
redaction function.
This requires the individual performing the digital redaction to
have an in-depth knowledge of information is stored in a computer.
Adobe Acrobat (not Acrobat Reader) version 9 and later has an effective
redaction function. It is a two step process:
- First, mark all the information in the document to be redacted.
- Tell the program to redact the information. The program will warn
you that the selected information is about to be destroyed and will
become unrecoverable. You will need to confirm that is what you want
before the information is actually redacted.
Digital Redaction Methods That DON’T WORK
- Highlight Function
- Using the highlight function and selecting the color black
produces a document that has the same appearance as a redacted document, however,
- The information underneath the “highlight” has not
been destroyed.
- To view the redacted information, simply select the whole
document and highlight it in yellow.
- Track Changes- Some people choose to simply delete information
from their documents and save the altered version. This is effective
unless the “Track Changes” function is turned ON. When Track Changes is
active. The deleted information is preserved and can be viewed, even
though it is redlined.
- Password protecting a document – Most methods for password
protecting a document are extremely weak and easily cracked. There are
many free utilities available for this purpose.
- A search for “free Adobe password remover” produces over a
million results.
- A search for “free Microsoft Office password cracker” produces
over eight (8) million results.
How to Check Digital Redaction
- Search the document for the redacted information. If the search
function can find it, it has not been redacted.
- Select all the information in the document and highlight in a
pastel color like yellow or light green. Does the redacted information
become readable?
- Copy the redacted information from the document and paste it as
plain text into a blank Word document. Does the redacted information
become readable?
- Ensure “Track Changes” is turned OFF.
REMEMBER
- In order for redaction to be effective, the redacted information
must be unrecoverable.
- ALL instances of identifiers in the document must be redacted for
the document. If one instance of an identifier (e.g. the patient’s
name, DOB, etc.) is missed, the document is considered identified
information.
- For digital documents, use the search function to identify all
instances of identifiers.
- For paper documents search the document from beginning to end and
then from end to beginning. Get help from co-workers and fellow
students in reviewing documents for identifiers.
When You Really Need to Use PHI
What about when it's not feasible to separate identifiers from
health information and you need to use and disclose PHI (which is most
of the time)? It is your responsibility to take reasonable precautions
to help insure that PHI remains confidential. What are some of the
precautions you can take?
Verbal
- Never discuss a health information with a patient when others are
present in the room unless you have cleared it with the patient
first. Discussing health information with a minor child and her/his
parents is an exception.
- When it is anticipated that you will be speaking with relatives
without the patient present (e.g. the patient is having surgery or other procedure),
discuss this with the patient beforehand and find out if the patient
has any concerns about her or his health information being shared with
loved ones.
- When discussing the patient's condition, whether it is a
discussion with relatives or colleagues, move out of earshot of others
and keep your voices low to avoid being overheard.
- Close exam room doors or pull curtains in patient rooms when
patients are being examined/treated.
- On the Phone
- If at all possible, do not to use patient identifiers when
discussing a case on the phone.
- Be aware of your surroundings when discussing patient
information on the phone:
- Check to see if anyone is within earshot
- Use a low tone of voice
- When leaving a voice-mail message, leave the minimum information
necessary. Someone other than the patient may listen to the messages.
- Do NOT leave any information about a patient’s diagnosis or
treatment on a voice mail.
- A message like, “Please call Dr. Smith’s office at your
earliest convenience.” is fine.
- A message like, “Please call the LSU Clinic,” is fine. (No
indication of diagnosis or treatment.)
- A message like, “This is Dr. Smith calling with the results
of your STD test.” is not acceptable.
- A message like “Please call the HemOnc clinic as soon as
possible.” is not acceptable. (Specialty clinics reveal information
about the patient’s diagnosis and treatment.)
Written
- Loose pieces of paper being transported from one place to another
should be secured in an envelope or folder to prevent them from
slipping out.
- Papers with PHI should not be left lying around in unsecured
areas.
- Papers with PHI should not be brought outside the hospital unless
they are being transported from one place of business to another in a
secure manner.
- Always dispose of paper PHI in the shred bin.
- If you use a shredder in your office, it must be cross cut
shredder that produces confetti, not long strips.
- Don't bring paper with PHI home.
- If you have documents with PHI in your work area, make sure that
they are placed face down or otherwise concealed when not in use.
- Make sure that any room that has medical records in it is always
attended by an employee. If there is not an employee with the records,
store the medical records in a locked room or cabinet.
- If medical records are transported from one location to another,
ensure that they are secured, cannot be dropped during the transport,
and are not left unattended in hallways, patient waiting areas, parking
garage of the hospital etc.
- Be aware that written PHI can show up in places other than paper.
For example, a view box with an x-ray can also show PHI since the
patient's name is usually noted on the x-ray.
- Be cautious of printed patient information, billing sheets, lab
reports, notebooks with handwritten notes, report sheets for notes
about patients, etc. These are items that are often left unattended in
areas that are accessible by patients. They are also items that are
often accidentally dropped and found by others.
- Faxes
- Verify that you have the correct information before you send
it.
- Verify that the fax number you are using is current and
correct.
- Always use a fax cover sheet.
- If it is a frequently used number, consider pre-programmed
numbers (once they are verified).
- Call to make sure the intended recipient received the fax.
- Only send the required information.
- Make sure to update pre-programmed numbers on a regular basis.
- Mailings
- Only send the minimum information necessary.
- Verify that the right information is being sent to the right
person.
- Information Handed Directly to the Patients
- Verify that you have the correct information going to the
correct recipient.
- Use two identifiers to ensure you have the right patient.
- Thumb through the papers being sent to make sure one patient's
information is not "stuck" to another
- PHI may be found on items such as arm bands, prescription
bottles, and IV bags. Make sure that none of these are discarded in the
regular trash. IV bags should have pull away labels that once torn from
the bag can be disposed of in the shred bin.
- Paper PHI should be disposed of in shred bins. A few points about
shred bins:
- Make sure that any shred bin that you use is locked.
- Keys should not be left in the shred bin.
- If the shred bin is so full that you can pull papers out of it,
immediately notify the department that is responsible for emptying the
shred bin.
- For those emptying the shred bin, make sure that any bags of
paper are in a secure, locked location while awaiting pick up from the
shredding company.
- When working with disposal companies, verify the identity of
the disposal company employee before turning over any PHI.
- REMEMBER: The paper in the shred bin has patient PHI, and is
just as important to secure as a patient's medical record.
Electronic
- Do not write your password down and place it around the computer
for others to use or discover.
- Do not share your password with others.
- Do not download patient information onto jump drives or personal
mobile devices that are not encrypted.
- Do not download patient information into folders that are not
secured by LSU HCSD/HSC-NO Information Technology staff.
- If you have a laptop, do not store patient information on it
unless it has been encrypted.
- Do not store PHI on personal laptops without expressed knowledge
and permission of the healthcare institution.
- If possible, face your computer monitor away from public viewing,
or use a privacy screen over the monitor.
- Do not leave screens open that contain patient information if you
are not actively working on the computer.
- Ideally, PHI should remain on LSUHSC servers and accessed through
Citrix or the VPN (remote.lsuhsc.edu).
- All electronic devices should be secured at all times. Lost or
stolen electronic devices account for the majority of reported HIPAA
breaches in the United States.
- The best defense is to not store PHI on such devices unless the
device(s) is encrypted.
- If you carry a mobile device that has access to patient PHI, it
should be password protected and encrypted.
- Emails
- Verify the individuals listed in the To:, CC:, and BCC: fields
are the ones who are authorized to receive the information.
- Thoroughly inspect any and all attachments to ensure the information is
appropriate for the intended recipients
- Check with the IT department or your computer supporter before
disposing of computers and portable storage devices such as thumb
drives.
- Verify that processes are in place to ensure PHI is wiped from
the hard drive memory of copy machines and biomedical equipment (the
vendor may be contracted to do this for you).
- If a large amount of patient information needs to be shared, you
can use secure computer folders or links. Contact your IT department
for more information on this option.
- To share large files securely with outside entities, use LSU
Health FileS (File-Sharing Solution).
- If you do use folders in Public Folders, or on certain drives on
your local workstation, remember that identifiable patient information
should not be stored there unless the folder has sufficient security to
limit access to only those who need it.
Other Concerns
Pictures of Patients
- Check the policy at the institution where you are working regarding
photographing patients to fully understand what is or is not acceptable.
- In many cases, the patient must provide written consent before a
picture may be taken.
Strangers
- Hospitals and health care facilities are bustling places, with
people moving quickly about everywhere.
- In such an environment, it would be easy for someone to go
unnoticed while attempting to steal PHI.
- Should anyone come to you, with whom you are not familiar, asking
for access to PHI, or to restricted areas within the hospital or health
care facility where you work, it is important to verify their identity.
- If you have not been notified by your supervisor that there is
someone who will need access to an area or information, verify with
your supervisor, Security, Hospital Administrator or the Compliance
department at the hospital or health care facility where you are
working before granting them access. This is true, even if the person
appears to have proper identification.
- If you have not been notified by your supervisor that there is
someone who will need access to an area or information, verify with
your supervisor, Security, or the Compliance
department at LSUHSC-NO before granting them access. This is true, even if the person
appears to have proper identification or the proper authority.
Accessing Records
Each of us only has authorization to access PHI based on a need to
know basis for the purpose of fulfilling our job responsibilities.
Unfortunately, some take advantage of various sources of PHI to satisfy
curiosity or other motives instead.
LSUHSC-NO faculty, staff and students may find themselves working
and/or training in facilities that use electronic health record systems
that are shared by multiple, independent health care providers. An
example of such a system is the PELICAN electronic health record. In
such cases, an individual must be granted permission to access the
electronic record in writing by the facility that owns the record, in
addition to having a job related need to view the information before
accessing the electronic record.
No matter why an employee or physician accesses PHI, if there is not
a job specific reason to do so, the access is prohibited by LSU policy,
and the HIPAA regulations!
This includes access to family
members’ information, including spouses, parents, adult children,
siblings, significant others, coworkers, etc.
Any such unauthorized access would be a direct violation of HIPAA
regulations, and expose the person who violated them not only to
disciplinary action, but also to possible legal action.
If you are the caregiver of a family member or friend and need
access to PHI, then a release of information form signed by the patient
should be given to medical records so that you can be given information
on the patient by medical records.
Possession of Records
- What identified patient information do you have in your
possession?
- To whom does this information belong?
- The patient
- The hospital or other health care institution
- Do you have right to have that information in your possession?
- Are you treating the patient.
- Do you have written authorization from the patient or the
hospital to possess this information.
- When should patient information in your possession be destroyed,
de-identified or turned over to the health care institution?
- When the treatment relationship ends.
- Change in rotation
- Change in employment
- In certain instances, at the end of the research study, if
these are research records. (see CM-53 Section S)
Social Media
LSUHSC-NO recognizes that social networking websites and
applications (i.e. Facebook, Twitter, and YouTube, etc.) are an
important and timely means of communication. However, LSUHSC-NO
faculty, staff, residents, and students who use
these websites and applications, must be aware that the protections of
patient information required by HIPAA apply to social media as well.
While it is popular to share events that happen at work or school on
social media outlets in the form of posts, pictures, and/or videos,
employees and students of LSUHSC-NO must be vigilant to ensure that
patient information is NOT compromised in the process. Some ways to
prevent PHI from being exposed on social media include:
- Ensure that all personal identifiers are removed (e.g. age,
gender, race, before and after photographs and/or tattoos), and are NOT
inadvertently included in any social media.
- Be familiar with the hospital's social media policy. It may have
different restrictions than LSUHSC-NO's policy.
- In the absence of a policy, care must be exercised when posting
information for educational purposes to ensure that any information
posted combined with other readily available information (ex. address,
telephone number, etc.) will NOT result in the identification of the
patient.
Policies of Affiliated Hospitals
The HIPAA regulations allow hospitals to use a combination of
physical, technical and administrative safeguards as necessary to
protect PHI. When working in a different hospital, be mindful of the
possibility that the hospital’s HIPAA policies may be different from
those at LSUHSC-NO. .
For example, LSUHSC-NO allows access to its network from outside the
campus because it has a technical control called a virtual private
network (VPN) in place. Another hospital may choose not to incur the
cost of a VPN and use an administrative control in the form of a policy
that forbids accessing the hospital network from outside the campus.
When working at another hospital, it is your responsibility to
familiarize yourself with that hospital’s policies and ensure that they
are followed.
Breaches
If you become aware of a breach of PHI or suspect a breach may have
occurred, it should be reported immediately to:
- The Compliance/Privacy Officer in the Office of Compliance
Programs at LSUHSC-NO, and
- The appropriate official at the institution where the breach
occurred if other than LSUHSC-NO.
Compliance will conduct a risk assessment to determine if the breach
must be reported to the patient and the U.S. Department of Health and
Human Services.
Timely notification of any known breach is CRITICAL as we only have
60 days from the discovery of the breach to take the necessary action
required by the Breach Notification Rule.
Getting Help
If you have
any questions, please contact the Office of
Compliance
Programs by: