STEWARDSHIP

STANDARD OF CONDUCT: SAFEGUARDING PHI

OUR COMMITMENT

We are committed to safeguarding our patients’ protected health information in accordance with state and federal privacy and security laws and regulations.

YOUR RESPONSIBILITIES

  • To protect our patients’ privacy by only using and disclosing the patient’s protected health information if it is necessary to do your job (for treatment, payment, or healthcare operations purposes, for example) and only using or disclosing the minimum amount of protected health information necessary to do your job.
  • To always obtain a patient’s authorization to use or disclose their protected health information if the use or disclosure is not for treatment, payment or healthcare operations or unless the use or disclosure is otherwise permitted under state or federal privacy laws and regulations.
  • To be sensitive to your surroundings when you are sharing protected health information and to always speak in a low and quiet tone.
  • To always properly dispose of protected health information in the designated blue shred bins.
  • To always report any impermissible or improper use or disclosure of protected health information to the Office of Corporate Compliance as soon as possible.
  • To never share your passwords or credentials with anyone for any reason.

What is protected health information?

Protected health information is information that identifies a patient or could be used to identify a patient and relates to that patient’s healthcare in any way. Protected health information can be in any format, including paper, electronic or oral. Examples include After Visit Summaries, prescriptions, any information included in the patient’s electronic medical record and information discussed between healthcare providers.

Can I disclose a patient’s protected health information to a patient’s family member(s) or friend(s)?

Yes; however, you may only disclose protected health information to a patient’s family member(s) and/or friend(s) so long as you only disclose protected health information that is directly relevant to the patient’s family member’s or friend’s involvement in the care of the patient and so long as the patient has agreed or has been given an opportunity to object and did not object. For more information regarding these disclosures, please see Harris Health Policy 3.11.203, Use and Disclosure of Protected Health Information to Persons Involved in the Patient’s Care and for Disaster Relief Purposes.

Can I take a photograph of a patient or make a recording of a patient?

Yes, you may take a photograph of a patient or make a recording of a patient, provided that: (1) the patient’s written authorization (use Harris Health form no.282758) is obtained prior to taking the photograph or making the recording; or (2) the photograph or recording is being taken and used for treatment purposes only and is integral to the treatment of the patient; or (3) the photographer or recording is taken to be used for internal education purposes. For more information, please see Harris Health Policy 3.11.310, Making and Disclosing Photographic, Video, Electronic, Digital, or Audio Recordings of Patients.

What should I do if I suspect that HIPAA has been violated?

Because the HIPAA privacy rule requires that Harris Health notify affected patients within 60 calendar days of the discovery of a HIPAA breach, you should report your suspicions as soon as possible but not later than 24 hours after discovery to the Office of Corporate Compliance for investigation. You may report HIPAA allegations either: (1) via email to CorporateCompliance@harrishealth.org; (2) through Harris Health’s Electronic Incident Reporting System (eIRS); or (3) to the Corporate Compliance hotline at (844) 565-0621 or use the secure and confidential EthicsPoint site

POLICIES TO KNOW

  • Harris Health Policy 3.11.105, Use and Disclosure of Protected Health Information for Treatment, Payment, and Health Care Operations.
  • Harris Health Policy 3.11.201, Use and Disclosure of Protected Health Information for Facility Directories.
  • Harris Health Policy 3.11.302, Minimum Necessary Standard for Request, Use, or Disclosure of Protected Health Information.
  • Harris Health Policy 3.11.306, Permitted Use and Disclosure of Protected Health Information Without a Patient Authorization.
  • Harris Health Policy 3.11.310, Making and Disclosing Photographic, Video, Electronic, Digital, or Audio Recordings of Patients.