Under the hipaa privacy rule, which use/disclosure of phi is acceptable?

Please use this page as a quick reference for frequently asked questions about HIPAA privacy. We welcome the opportunity to enhance this page with reliable information.

Q. What does the HIPAA Privacy Rule do?

A. The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.

    • gives patients more control over their health information.
    • sets boundaries on the use and release of health records.
    • establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
    • holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
    • and it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.

For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

    • It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
    • It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
    • It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
    • It empowers individuals to control certain uses and disclosures of their health information.

Q. Who may access confidential information?

A. Only those people who need access for business reasons and who have been authorized to receive it.

Q. What is meant by having access to the "minimum necessary" information to do our jobs?

A. We have access to all information that we need to do our jobs, but we should not have access to unnecessary information.

Q. What is the difference between "consent" and "authorization" under the HIPAA Privacy Rule?

A. The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.

An “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization.

Q. Who is our privacy officer? Who is our security officer?

A. Privacy Officer: C'Shalla Parker and Security Officer: William McCreary

Q. Why do we need privacy and security officers?

A. They are responsible for the overall protection of patient privacy and the security of all our information, whether on paper, in the computer, or in conversation.

Q. May the hospital use or disclose a patient's entire medical record based on the patient' signed consent?

A. Yes, as long as the Authorization describes, among other things, the information to be used or disclosed by the hospital in a "specific and meaningful fashion," and is otherwise valid under the Privacy Rule.

Q. Who is responsible for maintaining a secure environment and patient privacy?

A. Everyone.

Q. May I discuss patients with my spouse if he/she doesn't work here and promises to keep it secret?

A. No.

Q. Am I permitted to look up my sick father's medical record?

A. No. You are not permitted to look at your father's record unless your father has informed the hospital that that is okay in writing. While parents usually want family involvement in their treatment, it shouldn't be assumed. Sometimes an individual does not want family members to know the details.

Q. Does the HIPAA Privacy Rule permit a doctor to discuss a patient's health status, treatment, or payment arrangements with the patient's family and friends?

A. Yes. The HIPAA Privacy Rule specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment that the patient does not object. Under these circumstances, for example:

    • A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.
    • A hospital may discuss a patient’s payment options with her adult daughter.
    • A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
    • A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room. 

Q. If I have access to view my own medical record electronically is that considered a HIPAA violation?

A. No.  It is NOT a HIPAA violation to view your own medical record. The University of Toledo policy (3364-90-01) states, "Workforce members are permitted to view only his/her own PHI using University computing systems which the workforce member is authorized to access."  A workforce member may NOT access the health record of a family member or friend, including minor children. Please note: a workforce member may not alter or change their own medical record. Refer to Policy Release of Health Information 3364-90-01.

Q. We know that diagnoses and test results are confidential. What other information about a patient is confidential? What about billing records?

A. Essentially any information that is patient-identifiable, even the patient's address, is confidential and must be protected. Only when the patient has agreed may it be used or disclosed for specific purposes. Also, removal of the patient's name does not mean the patient's identity is protected; other information such as a medical record number, a zip code, or a date of birth could still be used for identification.

Q. What patient information can we disclose to any caller or visitor who asks?

A. This depends on what status the patient has requested at admission to the hospital.  A patient can request to have all, some or none of their information provided over the phone to callers. Patients who are listed as "confidential" in STAR do not want their information given out, and we must be careful not to let that happen. Be sure to check the status of the patient in STAR before disclosing information over the phone.

Q. What could happen to me if I talked about patients even though I no longer worked here?

A. We are all required to keep patient information confidential "forever". A privacy breach could result in legal penalties even if you no longer work here.

Q. We know that medical records whether paper or electronic are confidential. What about handwritten notes and phone calls?

A. All forms of information written, spoken, or electronic are confidential and must be protected.

Q. What should you do if another organization asks for access to patient information in your computer system?

A. Forward the request to your privacy (C'Shalla Parker) or security officer (William McCreary). This access must be closely scrutinized first.

Q. How do you know what material is confidential?

A. Hospital guidelines describe what information is confidential, including anything that could be used to identify a patient. Computer user IDs and access codes, payroll information, confidential memos, and many other documents are also considered confidential information.

Please refer to The University of Toledo's Confidentiality of Patient Information policy

Q. How should you dispose of confidential papers?

A. Put them in the locked shredder bin in your area.  Make sure you always leave your work space free of paper PHI before you leave at the end of your shift.

Please refer to The University of Toledo's Medical Record Retention and Destruction; Disposal of Protected Health Information policy.


Computer and IT FAQs related to Information Security

Q. Who is responsible if I "lend" my password to my co-worker and she uses it to look up information on a friend she's concerned about?

A. Both of us have violated our organization's policy. I am ultimately responsible for having shared my password.

Q. Why does everyone have his or her own unique user ID (i.e., log-on ID, etc.)?

A. Each person must have his or her own user ID so that he or she can be held accountable for activity connected to that ID.

Q. What are some important rules for making up "good" passwords? Ones that are hard for someone else to guess?

A. They should be at least six characters long; contain both numbers and letters; never be a real word or a significant number string; never be the name of a fictional character, a car model, or such.

Q. Is it okay to hide your password under your mouse pad or keyboard tray?

A. No. Passwords "hidden" this way can be easily found. This is not taking reasonable care to keep your password secret.

Q. What should you do if a well-known staff physician says that he has lost his password but needs immediate access to his patient's lab results and asks you to look up that patient's records for him?

A. But you should let the physician know you are not comfortable in doing this. And you should report the incident to the security officer. Thus the physician can get his password restored, and you are on record for noting that the patient look-up was done at the physician's request.

Q. What should you do if your computer access doesn't let you see information you need? Is it all right to ask a co-worker to share her password when the need is legitimate?

A. You should talk to your manager and arrange for the necessary access. It is never permissible to use someone else's password.

Q. Is it all right to bring in software from home? Why or why not?

A. Unless it has been approved and virus-scanned, it may contain a virus or other malicious code that could infect your PC and others on the network. Loading of software on PCs can also create issues with software necessary to do business which could render the PC inoperable. It is not in the interest of UToledo to utilize unlicensed software, this creates legal issues

Q. Why is it important to log off when you leave your PC, even if no one else is around?

A. Even at the end of the day, housecleaning crews and others may be in the area and use your access - for which you will be held responsible!

Q. Can you identify two ways to protect the information on your computer screen?

A. Turn the screen away from public view. Use a password-protected screen saver that pops up after a few minutes of idle time and hides the information. Log off when you leave the area.

Q. Why is it important to read the message when you log on that tells you the last time you logged on?

A. If it was at an hour or on a day when you know you couldn't have logged on, someone else may have used your user ID and password. You must report this at once and change your password.

What disclosure use of PHI is allowed under the HIPAA Privacy Rule?

Under HIPAA, a covered entity provider can disclose PHI to another covered entity provider for the treatment activities of the recipient health care provider, without needing patient consent or authorization. (45 CFR 164.506(c)(2).) Treatment (45 CFR 164.501) is broadly defined.

When can you share PHI information?

Information can be shared without consent if it is justified in the public interest or required by law. Do not delay disclosing information to obtain consent if that might put children or young people at risk of significant harm.

When can you use or disclose PHI quizlet?

However, PHI can be used and disclosed without a signed or verbal authorization from the patient when it is a necessary part of treatment, payment, or healthcare operations. The Minimum Necessary Standard Rule states that only the information needed to get the job done should be provided.

What are some examples where PHI can be used and disclosed without a patient's authorization quizlet?

When is the use or disclosure of PHI required, even without patient authorization? 1) When the patient or their representative requests access or accounting of disclosures (with exceptions), 2) When HHS is conducting an investigation, review, or enforcement action.