Uses and Disclosures of PHI

HIPAA allows the use and disclosure of protected health information (PHI) for purposes of treatment, payment, or health care operations without a patient signing an authorization form.

Q: What qualifies as “treatment”?

A: “Treatment” under HIPAA includes:

  • The provision, coordination, or management of health care and related services by one or more health care providers
  • Coordination / management of care with a 3rd party
  • Consultation between health care providers
  • Referral of a patient

Q: What qualifies as “payment”?

A: “Payment” under HIPAA includes:

  • Billing, claims management or collection activities
  • Coordination of benefits
  • Eligibility, coverage or cost sharing determinations
  • Disclosure to consumer reporting agencies
  • Obtain payment for a service
  • Obtain payment under a contract for reinsurance including stop-loss insurance and excess of loss insurance
  • Subrogation or adjudication of claims
  • Utilization review activities including pre-certification, pre-authorization or concurrent / retrospective reviews

Q: What qualifies as “health care operations”?

A: Health care operations” under HIPAA include:

  • Accreditation, certification, licensing or credentialing
  • Business planning, development or management
  • Case management and care coordination
  • Complaint or grievance resolution
  • Contact providers/patients about treatment alternatives
  • Customer service
  • Due diligence related to the sale/transfer of assets
  • Legal services or auditing functions
  • Medical Review
  • Outcomes evaluation & development of clinical guidelines
  • Population based activities related to improving health or reducing health care costs
  • Protocol development
  • Training or educational purposes
  • Quality assessment or improvement activities
  • Underwriting or premium rating

Information may be used within HIPAA covered entities (e.g., Penn Medicine, School of Dental Medicine and others) for these purposes. Information may be disclosed outside of such entities only for training or educational purposes, QA/QI, outcomes and population-based activities, case management and care coordination, or fraud detection.

Q: May I use or release PHI for reasons other than those listed above?

A: Generally, to use or disclose PHI for any other purpose, an Authorization is required. Please discuss with your Entity HIPAA Privacy Officer.

There are some exceptions to the authorization requirement, including: in response to a subpoena or court order; mandated state or federal reporting; cadaveric organ, eye or tissue donation; reporting to public health department; reporting to law enforcement officials; reporting abuse, neglect or domestic violence; for research studies or clinical trials; workers compensation. While disclosures for such purposes are permissible without patient permission, they carry many and varied conditions. Consult with your Entity HIPAA Privacy Officer before making such disclosures.

Q: May I disclose any of the following PHI?

  • Drug and/or Alcohol Abuse
  • Mental Health
  • Psychotherapy Notes

A: There are more stringent requirements around the release of this kind of information, due to its sensitive nature. Please discuss with your Entity HIPAA Privacy Officer.

Q: May I discuss a patient’s condition with his or her family members?

A: Unless the patient has asked that we not share information with family, or unless the staff have some reason to think the patient wouldn’t want the information shared, it is okay to discuss information with family, consistent with professional judgment.

Q: I have access to a computer system that contains PHI. May I use that access to look up test results or other medical information for myself or my family or friends?

A: No, unless looking up such information is part of your job function. And, under the minimum necessary rules, if you’re not accessing the information for treatment purposes, you should only be examining the amount of PHI reasonably necessary for you to do your job.

Q: What do I do if a patient requests that we limit or restrict information even though otherwise I could share it?

A: Given our system and resource limitations and the complexity of our operations, we must exercise great caution in agreeing to patient requests to restrict their information. Please contact your Entity HIPAA Privacy Officer to discuss.

Q: May I disclose PHI to vendors who help my School or Center in its operations (e.g., transcription)?

A: In most cases, if we are providing PHI to companies performing services for us, those companies will be our “Business Associates.” We are required to have contractual language in place to ensure that they safeguard the PHI. If you are responsible for the contractual relationship with such an organization, please contact your Entity HIPAA Privacy Officer to obtain the Business Associate contract language, have it executed by the company, and keep it on file in your department.

Q: Can I use PHI to conduct marketing or fundraising activities?

A: Under certain circumstances, this is permitted. Check with your Entity HIPAA Privacy Officer before doing so.

Safeguarding PHI

Q: May I send and receive PHI via fax?

A: Yes, under the following circumstances. When sending, verify that the number is correct. It is also a good idea to contact the intended recipient to verify that he or she has received the fax. Make sure to include a fax cover sheet with language directing an unintended recipient to return or destroy the document. Re-check pre-programmed numbers on a regular basis (at least annually). Ensure that fax machines located in public areas are monitored at all times by your work force, or re-locate them to a more secure area.

Q: May I leave messages on patient answering machines that include more information than the caller’s name and phone number?

A: It is permissible to leave information on a patient’s answering machine, provided they have not requested that we not do so. It would be prudent to check with the patient before leaving potentially sensitive personal information on an answering machine.

Q: May I use post cards to send test results to patients where the results are visible?

A: No. Do not use post cards to send PHI. Appointment reminders may be sent, as long as they are not sensitive in nature, and the patient has not asked us not to send them.

Q: What should I do if a patient asks me to communicate with them at an address or telephone number different than the one on file?

A: Check your entity policy – or with your Entity HIPAA Privacy Officer — to determine when and how we honor such requests.

Q: Can I print PHI to a printer accessible to unauthorized individuals?

A: If you need to print to a printer in a public area, ensure that PHI is retrieved promptly.

Q: I want to dispose of paper patient records. What should I do?

A: PHI should be destroyed (not recycled). Utilize your School or Center’s shredders or other services to ensure proper destruction. Make sure to retain records according to Penn’s records retention schedule and destroy information according to Penn guidelines.

Q: Can I use speaker phones or mobile phones when talking about PHI?

A: Speakerphones should be used in a room with the door(s) closed, and the volume modulated to an appropriate level. When using cell phones, be very sensitive to the surroundings, and try not to discuss identifying information, if possible.

Q: May I keep my own database of PHI either on my computer or on paper?

A: Wherever possible patient identifiable information should be stored and maintained on central services or data stores. Copies of such information may be kept on computer as long as they are physically safeguarded, allowing only authorized individuals access, and technically safeguarded, ensuring PHI is encrypted or, at minimum, password protected in case the device is accessed by unauthorized persons. Paper files containing patient identifiable information should be maintained in a closed, if not locked, cabinet. Consider that others may have access to your desk during and after normal business hours.

Q: I work in an area that often has expected and unexpected visitors (patients, family members, salespeople, drug manufacturer representatives, other visitors / workers). What do I need to do to my work area to protect PHI?

A: Work areas accessible to the public are much more vulnerable to privacy violations. Additional care needs to be taken so that PHI is secure from unauthorized access.

Ensure that the records are securely stored so that access is restricted to authorized individuals. This may require placing records in locked file cabinets.

Review the angle of computer screens, the posting of PHI, location of printers and fax machines, etc.

PHI should be stored behind a door or in a drawer, etc. They should not be left on desks, counters, or on open shelving in public areas.

Ensure that faxes and printouts are retrieved promptly. If the machine is in a public area, assign someone to monitor it continuously for unauthorized access.

Ensure that receptionists or other appropriate personnel check the IDs of visitors. Ensure that the receptionist has coverage when away from her/his work area.

Q: May my department use a white board or bulletin board that contains PHI that is viewable by the public?

A: Consider whether the board can be relocated to an area not in public view. Consider whether the information can be altered so that it’s less identifiable (e.g., first name, last initial).

Q: May I use patient or visitor sign-in sheets?

A: Yes, as long as the information is appropriately limited. Consider the patient’s privacy when asking for information on a sign-in sheet. Request only the Minimum Necessary to enable you to identify the patient (perhaps first name, last initial). The sign-in sheet may not include medical information not necessary for the purpose of signing in.

Q: May I post patient schedules in public areas?

A: Avoid when possible posting patient schedules in public areas.

Q: May I discuss PHI in hallways, patient rooms, nursing stations, waiting rooms, etc.?

A: You may if you need to, though you should modulate your voice level to minimize the chance that PHI will be overheard. Identifiable information should not be discussed in inappropriate public areas, e.g., elevators, cafeteria, buses, etc.

Q: May my computer screen with PHI be viewable by the public or other unauthorized individuals?

A: Computer screens, where possible, should be positioned so they are not publicly viewable.

Q: Can I leave medical charts on counters or in chart holders outside of examination rooms?

A: Where practical, try not to leave PHI in plain view. Place charts face down, or face to the wall, etc.

Q: How should I handle follow up phone calls to patients?

A: Try to make calls in a private setting. If impractical, modulate voice levels to minimize being overheard.

Q: May I remove PHI from my facility?

A: Electronic media containing patient information may only be taken from the facility according to entity security policy. Such information should be physically and technically safeguarded to minimize the risk of unauthorized access.

Q: May I share a computer with other staff or physicians?

A: Yes, if each individual uses his or her own User ID and password and logs off after using the machine. PHI should not be saved to the local machine, if it is shared with other users who should not view that PHI.

Q: Where can I write down my User ID or password?

A: User IDs and passwords should not available to others. Do not put them under a mouse pad, in the desk drawer, or on a post-it on the wall. They should be safeguarded in the same way one would protect the PIN for an ATM card.