10 Tips for Handling Protected Health Information (PHI) in Your Urgent Care

On today’s medical landscape, protected health information (PHI) is shared instantaneously between doctors and other healthcare providers to improve the continuum of patient care. We’ve come a long way from the time when the first physicians collaborated on how to best care for their patients. Fortunately, some of the principles they lived by continue to guide today’s doctors.

Modern medicine is often traced back to the time of the ancient Greeks and Hippocrates. Medical texts including Of the Epidemics, written around 500 and 400 B.C.E., provide the context of the principle, “first do no harm.”

“The physician must be able to tell the antecedents, know the present, and foretell the future—must mediate these things, and have two special objects in view with regard to disease, namely, to do good or to do no harm.”

It’s not likely that these early doctors would have predicted a future in which patient care often relies on energy passing through cords to machines that pump a heart, provide air to the lungs, and keep track of vital information about patients.

While the time and the landscape on which medicine is practiced has gone through meteoric changes, the basic principles of doing good and doing no harm still guide the practiced hands of physicians. But in today’s world, these principles expand beyond the scope of hands-on patient care. With the use of technology to keep patient records and health history, medical practitioners are also responsible for keeping protected medical information secure.

While healthcare and patient privacy get ever more complicated, training everyone on your urgent care staff about the importance of privacy is key to doing no harm.

What is Protected Health Information (PHI)?

When you mix patient identifiable information and health information, you have PHI.

According to the U.S. Department of Health and Human Services (HHS), health information is oral and recorded information created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual, or the past or future payment for the provision of health care to an individual.

This includes:

Medical records

• Electronic and paper case histories
• Treatment records
• Tests and results
• Charts
• Progress reports
• X-rays
• MRIs and results

Claims

Payments

Eligibility

Health plan and insurance data

Individually identifiable health information, says HHS, is a subset of health information, including demographic information collected from an individual, and along with the above, identifies the individual or can (reasonably) be used to identify an individual.

This includes:

• Name
• Address
• Dates related to an individual
• Phone and fax numbers
• Email address
• Social Security number
• Medical records number
• Health plan beneficiary number
• Account number
• Certificate/license number
• Any vehicle or other device serial number
• Device identifiers or serial numbers
• Web URL
• IP address
• Finger or voice prints
• Photographic images
• Any other characteristic that would uniquely identify an individual

 Sharing PHI

One of the key reasons electronic health records are so important to doctors is the ease in which they can be shared between caregivers, but they should never be shared haphazardly. A key protection of the HIPAA Privacy Rule is the minimum necessary standard: “protected health information should not be disclosed when it is not necessary to satisfy a particular purpose or carry out a function.”

Assessing your processes and protocols is an important first step to ensuring you are properly handling PHI. It will allow you to find any areas that need improvement and resolve them.

Extensive training comes next. Everyone in your clinic has a responsibility to upholding HIPAA guidelines, and more importantly, taking good care of your patients’ sensitive information as well as their health.

Sharing PHI on a need-to-know basis is a critical component to staying compliant. This is essential when communicating both outside and inside your clinic. The following ten (simple) tips will help you stay compliant.

1. Choose a HIPAA champion to oversee compliance and PHI security. Be sure they stay up-to-date on any changes in the standards, and are committed to communicating with other staff members about PHI. Your champion may be in charge of creating informational materials and conducting HIPAA training with new staff.
2. Remind staff that sharing sensitive PHI information unnecessarily with others not directly involved in a particular patient’s care, including co-workers or personal acquaintances, is off limits.
3. In the clinic, staff should not use a patient’s full name within hearing distance of anyone not directly connected with the patient’s current care.
4. Be sure all paper records and patient charts not currently in use are kept in a secure location only accessible to cleared staff. Patient records should not be accessed unless needed for work without a patient’s written consent. When no longer needed, shred paper files and dispose of properly.
5. Electronic records and charts should be password protected for use only as needed. Never leave computer programs containing PHI open when not in use.
6. Limit electronic transmission when possible. Use only encrypted methods when sending PHI electronically.
7. Use role-based security levels to ensure only those with clearance can see PHI.
8. No password sharing.
9. Choose an EMR provider with technology solutions that meet HIPAA compliance standards.
10. Limit access of third-party vendors in your clinic. Be sure they also follow HIPAA regulations when dealing with any information they learn while doing business with your clinic.

Technology plays a vital role on today’s healthcare landscape. As physicians and caregivers, the responsibility to do no harm extends far beyond what Hippocrates and his colleagues could ever have imagined and into the global information network. Tomorrow’s healthcare professionals will look to you and your legacy for guidance as they also assume responsibility for patients far into the future. What they will see is up to you.