STANDARD OF CONDUCT: SAFEGUARDING PROTECTED HEALTH INFORMATION (PHI)

OUR COMMITMENT

We are committed to safeguarding our patients’ protected health information in accordance with state and federal privacy and security laws and regulations.

YOUR RESPONSIBILITIES

  • To protect our patients’ privacy by only using and disclosing a patient’s protected health information if it is necessary to do your job (for treatment, payment, or healthcare operations purposes, for example) and only using or disclosing the minimum amount of protected health information necessary to do your job.
  • To always obtain a patient’s authorization to use or disclose their protected health information if the use or disclosure is not for treatment, payment, or healthcare operations or if the use or disclosure is otherwise permitted under state or federal privacy laws and regulations.
  • To be sensitive to your surroundings when you are sharing protected health information and to always speak in a low and quiet tone if you are not in a private area.
  • To always properly dispose of protected health information in the designated blue shred bins.
  • To report any impermissible or improper use or disclosure of protected health information to the Office of Corporate Compliance as soon as possible.
  • To never share your passwords or credentials with anyone for any reason.

FAQs

What is protected health information?

Protected health information is information that identifies a patient or could be used to identify a patient and relates to that patient’s healthcare in any way. Protected health information can be in any format, including paper, electronic, or oral. Examples include After Visit Summaries, prescriptions, any information included in the patient’s electronic medical record, and information discussed between healthcare providers.

Can I disclose a patient’s protected health information to a patient’s family member(s) or friend(s)?

Yes; however, you may only disclose protected health information to a patient’s family member(s) and/or friend(s) that is directly relevant to the patient’s family member’s or friend’s involvement in the care of the patient and so long as the patient has agreed or has been given an opportunity to object and did not object. For more information regarding these disclosures, please see Harris Health Policy 3.11.203, Use and Disclosure of Protected Health Information to Persons Involved in the Patient’s Care and for Disaster Relief Purposes.

Can I take a photograph of a patient or make a recording of a patient?

Yes, you may take a photograph of a patient or make a recording of a patient, provided that: (1) the patient’s written authorization (use Harris Health form no.282758) is obtained prior to taking the photograph or making the recording; or (2) the photograph or recording is being taken and used for treatment purposes only and is integral to the treatment of the patient; or (3) the photograph or recording is taken to be used for internal education purposes. For more information, please see Harris Health policy 3.11.310, Making and Disclosing Photographic, Video, Electronic, Digital, or Audio Recordings of Patients.

What should I do if I suspect that HIPAA has been violated?

Because the HIPAA privacy rule requires that Harris Health notify affected patients within sixty (60) calendar days of the discovery of a HIPAA breach, you should report your suspicions as soon as possible to the Office of Corporate Compliance for investigation. You may report HIPAA allegations either: (1) via email to Corporate Compliance; (2) through Harris Health’s Electronic Incident Reporting System (eIRS); or (3) to the Corporate Compliance hotline at 800-500-0333.