STANDARD OF CONDUCT: SAFEGUARDING PROTECTED HEALTH INFORMATION (PHI)

OUR COMMITMENT

We are committed to safeguarding our patients’ protected health information in accordance with state and federal privacy and security laws and regulations.

YOUR RESPONSIBILITIES

  • To protect our patients’ privacy by only using, disclosing or accessing a patient’s protected health information, including their electronic medical record, if it is necessary to do your job (for treatment, payment or healthcare operations purposes, for example) and only using or disclosing the minimum amount of protected health information necessary to do your job.
  • To always obtain a patient’s authorization to use or disclose their protected health information if the use or disclosure is not for treatment, payment, or healthcare operations or if the use or disclosure is otherwise permitted under state or federal privacy laws and regulations.
  • To always obtain a patient’s authorization to use or disclose their protected health information if the use or disclosure is not for treatment, payment or healthcare operations or unless the use or disclosure is otherwise permitted under state or federal privacy laws and regulations.
  • To be sensitive to your surroundings when you are sharing protected health information and to always speak in a low and quiet tone if you are not in a private area.
  • To always properly dispose of protected health information in the designated locked shred bins.
  • To report any known or suspected impermissible or improper use, disclosure of or access to protected health information to the Office of Corporate Compliance as soon as possible, but no later than 24 hours after discovering an actual or suspected impermissible or improper use, disclosure or access.
  • To never share your passwords or credentials with anyone for any reason.
  • To maintain up-to-date knowledge of privacy and information security rules by completing Harris Health’s annual privacy and information security education.

FAQs

What is protected health information?

Protected health information is information that identifies a patient or could be used to identify a patient and relates to that patient’s healthcare in any way. Protected health information can be in any format, including paper, electronic or oral. Examples include After Visit Summaries, prescriptions, any information included in the patient’s electronic medical record and information discussed between healthcare providers.

Can I disclose a patient’s protected health information to a patient’s family member(s) or friend(s)?

Yes; however, you may only disclose protected health information to a patient’s family member(s) and/or friend(s) that is directly relevant to the patient’s family member’s or friend’s involvement in the care of the patient and so long as the patient has agreed or has been given an opportunity to object and did not object. For more information regarding these disclosures, please see Harris Health Policy 3.11.203, Use and Disclosure of Protected Health Information to Persons Involved in the Patient’s Care and for Disaster Relief Purposes.

Can I take a photograph of a patient or make a recording of a patient?

Yes, you may take a photograph of a patient or make a recording of a patient, provided that: (1) the patient’s written authorization (use Harris Health form no.282758) is obtained prior to taking the photograph or making the recording; or (2) the photograph or recording is being taken and used for treatment purposes only and is integral to the treatment of the patient; or (3) the photograph or recording is taken to be used for internal education purposes. For more information, please see Harris Health Policy 3.11.310, Making and Disclosing Photographic, Video, Electronic, Digital, or Audio Recordings of Patients.

What should I do if I suspect that HIPAA has been violated?

Because the HIPAA privacy rule requires that Harris Health notify affected patients within 60 calendar days of the discovery of a HIPAA breach, you should report your suspicions as soon as possible but not later than 24 hours after discovery to the Office of Corporate Compliance for investigation. You may report HIPAA allegations either: (1) via email to Corporate Compliance; (2) through Harris Health’s Electronic Incident Reporting System (eIRS); or (3) to the Corporate Compliance hotline at 844-565-0621 or use the secure and confidential EthicsPoint site.

POLICIES TO KNOW

  • Harris Health Policy 3.11.105, Use and Disclosure of Protected Health Information for Treatment, Payment, and Health Care Operations
  • Harris Health Policy 3.11.104, Sanctions for Failure to Comply with Privacy and Information Security Policies
  • Harris Health Policy 3.11.201, Use and Disclosure of Protected Health Information for Facility Directories
  • Harris Health Policy 3.11.302, Minimum Necessary Standard for Request, Use, or Disclosure of Protected Health Information
  • Harris Health Policy 3.11.306, Permitted Use and Disclosure of Protected Health Information Without a Patient Authorization
  • Harris Health Policy 3.11.310, Making and Disclosing Photographic, Video, Electronic, Digital, or Audio Recordings of Patients