Privacy rule
Private health information (PHI) — a patient’s health, care provisions, or associated payments — is protected by you, the covered entity. PHI is any information related to a patient, whether it is in print, in an electronic record, or even associated with a bill or payment history.
The privacy rule covers who must be notified of updates or additions to patient information and who may access the information. The “musts” are covered entities (that’s you) that must report any PHI to the patient within 30 days of receiving a request to do so. You must also disclose PHI when required by law, for such instances as court cases or suspected child abuse.
The “mays” may disclose PHI in certain cases, as long as you make a reasonable effort to disclose only the minimum information necessary to get the job done. For example, if you receive a request from a colleague to obtain Mrs. Jones’ latest mammogram results to facilitate treatment, that is all you should report. Her PHI about her latest bout of flu is not at issue, for example, and should not be disclosed in this case. So you, as covered entity, may disclose PHI for the following reasons:
To facilitate treatment
To initiate or follow up on payment
To assist with healthcare operations
If the patient has provided authorization to release the information
As resident EHR champion, you should make sure HIPAA’s privacy rule is followed elsewhere within the practice. Many of those checks and balances happen via the EHR software, ...
Get Electronic Health Records For Dummies now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
