Best Practices for Protected Health Information (PHI)
What are best practices for:
Protecting PHI against public viewing?
Preventing conversations about PHI from being overheard?
Storage and disposal of documents that contain PHI?
Safeguarding computer workstations and databases that contain PHI?
1. What are best practices for protecting PHI against public viewing?
Create areas where you may review written materials and charts containing PHI that will not be in view or easily accessed by persons who do not need the information. If charts or other documents cannot practicably be kept in a secure area during use (e.g., while being analyzed by your instructor, awaiting a practitioner's viewing), then establish a practice of turning documents over to minimize incidental viewing.
- Locate printers, copiers, and fax machines in areas that minimize public viewing. Promptly retrieve documents containing PHI to minimize viewing by persons who do not need the information.
- Utilize computer privacy screens and/or screen savers when practicable. If privacy screens are not available, then locate computer monitors in areas or at angles that minimize viewing by persons who do not need the information.
- Locate whiteboards that may be used to display PHI in areas that minimize viewing by persons who do not need the information.
- Do not leave materials containing PHI in conference rooms, on desks, or on counters or other areas where the PHI may be accessible to persons who do not have a need to know the information.
- Escort patients, repair and delivery representatives, and any other persons not having a need to view the PHI into areas where PHI is maintained. Before providing a fax or copier repair representative access to a machine, ensure that no PHI has inadvertently been left on the machine.
Back to top
2. What are best practices for preventing conversations about PHI from being overheard?
- Become aware of your surroundings and who is available to hear any discussions concerning PHI.
- Refrain from discussing PHI beyond that which is the minimum necessary to conduct business.
- Keep voices down when discussing PHI.
- Refrain from discussing PHI in public areas such as elevators, rest rooms, and reception areas, unless doing so is necessary to provide treatment to one or more patients.
- Utilize private space (e.g., separate rooms) when discussing PHI with faculty members, clients, patients, and family members.
- Phone conversations should be done in a private space away from the hearing of those without a need to know PHI.
- Do not relay or discuss PHI over the phone unless you confirm the identity of the person to whom you are speaking and their authority to receive the PHI being discussed.
Back to top
3. What are best practices for the storage and disposal of documents that contain PHI?
- Maintain documents containing PHI in locked cabinets or locked rooms when the documents are not in use and after working hours.
- Establish physical and/or procedural controls (e.g., key or combination access, access authorization levels) that limit access to only those persons who have a need for the information.
- Control and secure keys to locked files and areas. Do not leave keys in locks or in areas accessible to persons who do not have need for the stored PHI.
- Do not place documents containing PHI in trash bins. Promptly shred documents containing PHI when no longer needed, in accordance with College procedures.
Back to top
4. What are best practices for safeguarding computer workstations and databases that contain PHI?
- Establish controls that limit access to PHI to only those persons who have a need for the information.
- Exit any database containing PHI before leaving workstations unattended so that PHI is not left on a computer screen where it may be viewed by persons who do not have a need to see the information.
- Do not disclose or release to other persons any item or process which is used to verify authority to create, access or amend PHI, including but not limited to, any badge, password, personal identification number, token or access card, or electronic signature.
- Follow Information Technology Department instructions regarding updating and changing passwords and installing security updates.
- Delete or erase PHI from any computer drive as soon as the PHI is no longer needed. Contact the Information Technology Department regarding the disposal of hardware to assure that no PHI is retained on the machine.
- Establish a system for restoring or recovering any loss of electronic PHI.
- Maintain an accurate inventory of the location of all workstations that contain PHI.
- Maintain an accurate inventory of all software located on the workstations.
- To prevent risk to the system and inadvertent release of PHI, prevent the unauthorized downloading of software.
Back to top
5. What are best practices for faxing PHI?
- Fax PHI only when other types of communication are not available or practical.
- Limit the PHI contained in the fax to the minimum necessary to accomplish the purpose of the communication.
- When faxing to a patient, do not fax sensitive PHI such as PHI related to alcohol abuse, drug abuse, mental health issues, HIV testing, antigens indicating hepatitis infection, sexually transmitted diseases (STD), or presence of malignancy.
- Do not use faxing as a means to respond to subpoenas, court orders, or search warrants.
- Take reasonable precautions to ensure that the intended recipient is either available to receive the fax as it arrives or has exclusive access to the fax machine.
- Pre-program frequently used non-patient fax numbers to minimize potential for misdirected faxes. Confirm pre-programmed numbers at least every six (6) months.
- If there is any reason to question the accuracy of a fax number, contact the recipient to confirm the number prior to faxing PHI.
- When faxing PHI, use fax cover sheets that include the following information:
- Sender's name, facility, telephone and fax number
- Date and time of transmission
- Number of pages being faxed including cover sheet
- Intended recipient's name, facility, telephone and fax number
- Name and number to call to report a transmittal problem or to inform of a misdirected fax
- Confidentiality notice such as the following:
Confidentiality Notice : The information contained in this facsimile transmission is privileged and confidential intended for the use of the addressee listed on the cover page. The authorized recipient of this information is prohibited from disclosing this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited (Federal Regulation 42 CFR, Part 2, and 45 CFR, Part 160). If you have received this fax in error, please notify the sender immediately by calling the phone number above to arrange for return of these documents.
- Do not include any PHI on the fax cover sheet.
- If notified of a misdirected fax, instruct the unintended recipient to return the information by mail or destroy the information by shredding.
Back to top
6. What are best practices for E-mailing PHI?
- E-mail should not be used for sensitive or urgent matters. Topics appropriate for e-mail include appointment scheduling and routine follow-up questions.
- Do not use e-mail to convey the results of tests related to HIV status, sexually transmitted diseases, presence of a malignancy, presence of a hepatitis infection, or abusing the use of drugs.
- If possible, do not transmit PHI via e-mail unless using an IT-approved secure encryption procedure.
- If a secure e-mail server is not used, do not e-mail lab results.
- Limit the PHI contained in the e-mail to the minimum necessary to accomplish the purpose of the communication.
- E-mail PHI only to a known party (e.g., patient, health care provider).
- Prior to e-mailing PHI to an individual:
- Obtain the individual's consent prior to communicating PHI with him or her even if the individual initiated the correspondence; and
- Clearly communicate to the individual the risks and limitations associated with using e-mail for communications of PHI.
- When e-mailing to a non-health care provider third party, always obtain the consent of the individual who is the subject of the PHI.
- Do not e-mail PHI to a group distribution list unless individuals have consented to such method of communication.
- Send PHI as a password protected/encrypted attachment when possible.
- In the subject heading, do not use patient names, identifiers or other specifics; consider the use of a confidentiality banner such as "This is a confidential medical communication".
- Include in e-mail stationery a confidentiality notice such as the following:
Confidentiality Notice : This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this message is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify us by reply e-mail or by telephone at (XXX) XXX-XXXX, and destroy the original transmission and its attachments without reading them or saving them to disk.
- If PHI is received in an e-mail, include a copy of the e-mail in the patient's medical/dental/treatment record, if applicable.
Back to top