HIPAA Privacy Rule Guidelines for Sharing or Disclosing an Individual’s Personal Health Information (PHI) – Part 1
When it comes to sharing or disclosing personal health information (PHI), a good rule of thumb is, “less is more.” It is always possible to provide more information when circumstances indicate that it is okay. However, once information is provided, it cannot be taken back.
What is HIPAA? HIPAA is the acronym used to refer to the Health Insurance Portability and Accountability Act established by the U.S. Congress in 1996. The HIPAA Privacy Rule contains the rules and guidelines developed and enforced by HIPAA to protect an individual’s Private Healthcare Information (PHI), and they are quite comprehensive. Any entity providing healthcare services or that handles personal healthcare information in any form, e.g., patient’s medical records, prescriptions, lab results, etc., should be familiar with what is acceptable and exactly how and where an individual’s PHI may be shared and stored. Violations of these rules carry serious penalties. For example, the penalty cap for HIPAA violations can be as much as $1,500,000/year per violation. Compliance is not optional it is mandatory.
Telephone, Voicemail, E-Mail, and Faxes
In any type of messaging where the person answering the phone, listening to the message or the person who may read the message (accidentally or intentionally) is not the person for whom the message is intended, special care should be taken in order not to disclose private healthcare information. Never leave clinical details (lab or test results, etc.) on voicemail or on an answering machine. Leave only basic information and a way for the individual to contact you for the details, such as the identifying the name of the provider and a phone number.
If someone answers the call and their identity as the person being called can be verified (full name, birthdate, and address), it is okay to provide any information. But, be alert if the person answering the phone is not who you are trying to contact. Again, only give out very basic information, like where you are calling from and a return call number.
Even though e-mail is generally only viewed by the person to whom it is addressed, be careful. E-mail can or may be diverted and seen by someone other than the intended recipient. A good example of this might be when a secretary is asked to review her boss’s e-mail, or maybe the address on the e-mail is incorrect.
The goal of the HIPAA Privacy Rule is to simply protect individuals and to give them control over the use of their health information. HIPAA regulations allow for reasonable standards, approaches and policies when considering what is allowed and what is prohibited in an e-mail, on voicemail or on a fax.
Although the “Security Rule” does not specifically forbid using e-mail to send personal health information (e-PHI), it does “…allow for ePHI to be sent over an electronic open network as long as it is adequately protected.” Here is a brief summary of HIPAA rules regarding use of email:
- E-mail communication is allowed, but precautions must be taken;
- Alert individuals about the risks involved with using e-mail and fax;
- Use care not to expose an individual’s information -check and verify e-mail addresses and the fax numbers;
- Take steps to protect information shared over open networks, e.g., encrypting messages containing personal health information.