When it comes to protected health information (PHI), make sure your vendors and staff are taking all the necessary steps to protect your facility from a HIPAA violation or breach.
Most vendors take proper precautions since handling this type of data is what they do professionally day-in and day-out. I see most violations coming from staff members at various facilities because HIPAA regulations are not something they have to deal with on a daily basis.
Most of the breaches I see happen via email. Someone at a facility needs to track down a report or research a voice file, so a request is sent to the vendor asking for assistance. Often this request includes too much information (patient name, medical record number, date of birth or Social Security number). It is fine to have either the patient name or the patient’s medical record number in an email, but not both at the same time.
As a rule, if what you are sending has more information than you would comfortably release about your mother, don’t send it! Here are some guidelines to follow:
Include a voice job number as the primary locator if it is available. With this information, your vendor can find everything else necessary to research your issue.
If a voice number is not available, send a medical record number or account number; whichever is entered into your voice capture system by dictators. Most vendors are able to search their voice records for this information to locate the specific report or voice file needed.
If you must send a patient name, send the first initial and last name only. If you include a name, never include any other identifiable information. Bear in mind that the patient name is only valuable if you are searching for a report. In most cases, if you are searching for a voice job the patient name was not part of the information captured by your vendor so it is useless.
If you are going to send a screen shot, review it carefully for PHI. Most people don’t think about looking at the screen shot critically before sending it. With multiple demands on time and resources, this just seems like the quickest way of conveying the necessary information. Being in a hurry can get you in trouble.
The safest way of conveying PHI is via phone. While doing so may not always be feasible, if you have a request that requires a great deal of information, this method is best.
Protect your data. Think before you click “send.”
Coming up – why is faxing PHI and reports a bad idea?
No related posts.