LSU Health Logo

Office of Compliance Programs

Protecting PHI for Clinical Staff and Students

Revised: July 24, 2017

Introduction

HIPAA requires that LSUHSC-NO "have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information." {45 CFR 164.530(c)(1)}

The HIPAA Privacy Rule

A covered entity (e.g. LSUHSC-NO and its faculty, staff and students) may not use or disclose protected health information (PHI)about a patient without that patient's written authorization unless the use or disclosure falls under one of the exceptions.

What is PHI?

PHI consists of two parts:

What Form Does PHI Take?

PHI can be in any format, including but not limited to:

Where Can PHI Be Found?

Depending on the format, PHI can be found in:

Protecting PHI

We have an obligation to protect the privacy of LSUHSC-NO patients. Simple acts can have serious consequences. What are some of the ways to help insure PHI is protected?

Do you REALLY need to use PHI?

While using and disclosing PHI is essential for treating patients, there are many tasks that can be accomplished without using PHI. For example, the statement, "Mr. Carbuncle is ready to have his boils lanced," contains PHI. However, the statement "Mr. Carbuncle is ready for you in Room 3," does not.

Many times the use and disclosure of PHI can be reduced by simply choosing to use and disclose health information OR use and dislose identifiers but not both. Most hospitals have banned using texts or email to communicate PHI. When the identifiers are separated from the health information, it is no longer PHI and can be sent safely.

In the example below, a resident has sent a text to an attending physician regarding a patient's lesion. The photograph does not include the patient's face or any unique identifying marks such as scars or tattoos. The text does not include the patient's name or any other identifiers. For that reason, the text does not contain PHI and is not subject to HIPAA.

Example of texting without PHI

The resident then calls and discusses the case with the attending physican. He can clarify any identifiers during the call.

Scenario 1

Dr. Capaldi, a second year resident, is working the evening shift at Our Lady of Perpetual Sorrows Hospital. He is concerned about some lab values on a recently admitted patient. He phones the attending on call, Dr. Hartnell, to discuss his concerns but the list of lab values is too long to relate over the phone. Dr. Hartnell instructs Dr. Capaldi to text him the lab values. Our Lady of Perpetual Sorrows has a strict ban on texting PHI so Dr. Capaldi takes a photograph of the lab values and carefully crops out all the patient identifying information (name, MRN, etc.). He then texts the picture to Dr. Hartnell. Afterwards, Dr. Capaldi deletes the photograh from his phone. Has Dr.Capaldi violated the hospital's ban on texting PHI?

Hover your mouse over or tap your finger on the box below to see the right answer. (Tap on any picture to make the answer disappear.)

Yes
 
No

Redaction

Another method of separating identifiers and health information is redaction. Redaction is the process of obscuring or removing information from a document or record. It is a difficult and painstaking process to do correctly on existing documents and records.

In many cases, redaction is needed to prevent sensitive information from being breached.

Physical Redaction

Physical redaction is applied to paper records and analog recordings. Methods include:

When excising, be sure to collect all the cuttings and ensure they are destroyed by shredding or incinerating. When blacking out sections of paper documents ensure that information has been completely obscured.

Digital redaction

Digital redaction is extremely difficult to perform correctly. Most computer programs are designed to preserve information, not destroy it. The majority of computer programs used for editing text do not have a redaction function.

This requires the individual performing the digital redaction to have an in-depth knowledge of information is stored in a computer. Adobe Acrobat (not Acrobat Reader) version 9 and later has an effective redaction function. It is a two step process:

  1. First, mark all the information in the document to be redacted.
  2. Tell the program to redact the information. The program will warn you that the selected information is about to be destroyed and will become unrecoverable. You will need to confirm that is what you want before the information is actually redacted.

Digital Redaction Methods That DON’T WORK

How to Check Digital Redaction

REMEMBER

When You Really Need to Use PHI

What about when it's not feasible to separate identifiers from health information and you need to use and disclose PHI (which is most of the time)? It is your responsibility to take reasonable precautions to help insure that PHI remains confidential. What are some of the precautions you can take?

Verbal

Written

Electronic

Other Concerns

Pictures of Patients

Strangers

Accessing Records

Each of us only has authorization to access PHI based on a need to know basis for the purpose of fulfilling our job responsibilities. Unfortunately, some take advantage of various sources of PHI to satisfy curiosity or other motives instead.

LSUHSC-NO faculty, staff and students may find themselves working and/or training in facilities that use electronic health record systems that are shared by multiple, independent health care providers. An example of such a system is the PELICAN electronic health record. In such cases, an individual must be granted permission to access the electronic record in writing by the facility that owns the record, in addition to having a job related need to view the information before accessing the electronic record.

No matter why an employee or physician accesses PHI, if there is not a job specific reason to do so, the access is prohibited by LSU policy, and the HIPAA regulations! This includes access to family members’ information, including spouses, parents, adult children, siblings, significant others, coworkers, etc.

Any such unauthorized access would be a direct violation of HIPAA regulations, and expose the person who violated them not only to disciplinary action, but also to possible legal action.

If you are the caregiver of a family member or friend and need access to PHI, then a release of information form signed by the patient should be given to medical records so that you can be given information on the patient by medical records.

Possession of Records

Social Media

LSUHSC-NO recognizes that social networking websites and applications (i.e. Facebook, Twitter, and YouTube, etc.) are an important and timely means of communication. However, LSUHSC-NO faculty, staff, residents, and students who use these websites and applications, must be aware that the protections of patient information required by HIPAA apply to social media as well.

While it is popular to share events that happen at work or school on social media outlets in the form of posts, pictures, and/or videos, employees and students of LSUHSC-NO must be vigilant to ensure that patient information is NOT compromised in the process. Some ways to prevent PHI from being exposed on social media include:

Policies of Affiliated Hospitals

The HIPAA regulations allow hospitals to use a combination of physical, technical and administrative safeguards as necessary to protect PHI. When working in a different hospital, be mindful of the possibility that the hospital’s HIPAA policies may be different from those at LSUHSC-NO. .

For example, LSUHSC-NO allows access to its network from outside the campus because it has a technical control called a virtual private network (VPN) in place. Another hospital may choose not to incur the cost of a VPN and use an administrative control in the form of a policy that forbids accessing the hospital network from outside the campus. When working at another hospital, it is your responsibility to familiarize yourself with that hospital’s policies and ensure that they are followed.

Breaches

If you become aware of a breach of PHI or suspect a breach may have occurred, it should be reported immediately to:

Compliance will conduct a risk assessment to determine if the breach must be reported to the patient and the U.S. Department of Health and Human Services.

Timely notification of any known breach is CRITICAL as we only have 60 days from the discovery of the breach to take the necessary action required by the Breach Notification Rule.

Getting Help

If you have any questions, please contact the Office of Compliance Programs by: