HIPAA Hints: Privacy Guidelines

Washington University HIPAA Hints

The Washington University HIPAA Privacy Office has created HIPAA Hints to provide guidance for some of the most common privacy issues.

Guidelines for emailing PHI

  1. Encourage patients to use the patient portal for secure electronic communication with their provider.
  2. If email must be used to transmit PHI/PII outside of the secure WUSM/BJC/SLCH environment, the email or the attachment with PHI/PII must be encrypted. (Encryption policy and encryption instructions)
  3. Prior to emailing PHI to a patient, obtain the patient’s consent (link to consent).  Our consent form explains the risks associated with email communication and informs the patient that email communications are considered part of the medical record.

Guidelines for faxing PHI

  1. Always use a cover sheet and do not include PHI on the fax cover sheet.  The fax cover sheet should include:
    1. Sender’s name, facility, telephone and fax number;
    2. Number of pages being faxed, including the cover sheet
    3. Intended recipient’s name, faciilty, telephone, and fax number
    4. Confidentiality statement
      • Documents that contain sensitive PHI (mental health, substance abuse treatment, HIV/AIDS, sexually transmitted diseases) should not be faxed
      • Confirm the fax number with the recipient prior to sending PHI

Guidelines for protecting PHI from public viewing

  1. Secure paper charts and other written materials containing PHI/PII so that they are not in view or easily accessed by persons who do not have a need to know the information.  Place them in an overhead bin or a drawer.  When that is not possible, place the documents in a closed file folder or turn the over to minimize incidental disclosure of PHI/PII.
  2. Make sure printers, copiers, and fax machines are located in a secure area.  Promptly remove documents containing PHI.
  3. Do not leave documents containing PHI in public areas (conference rooms, cafeterias, restrooms) or other areas where the PHI could be accessed by a person who does not have a business need to view the information.

Guidelines for preventing incidental verbal disclosures of PHI

  1. Do not discuss PHI in public areas such as waiting rooms, elevators, cafeterias, or hallways/links.
  2. Keep your voice down when discussing PHI in open areas such as patient registration/check-in.
  3. Share only the minimum necessary to accomplish the task at hand.

Guidelines for disposal of documents containing PHI

  1. Dispose of all documents containing PHI in an approved Shred-It container once the document is no longer needed.
  2. Do not dispose of PHI in blue recycling container or in waste receptacles.
  3. Any personal receptacles/boxes used to store discarded PHI during the day must be emptied into an approved Shred-It container at the end of business each day.

Guidelines for responding to patient requests for records, amendments, and restrictions

  1. Provide the patient with the appropriate paperwork for their request (link to forms)
  2. Send requests for medical records to the Health Information Release Services team; send requests for amendments and/or restriction to the HIPAA Privacy Office
  3. Each of these requests have defined timelines in which we must respond to the patient.  Contact the HIPAA Privacy Office for assistance.