One of the most basic rights that a patient has is the right to privacy. Patients have the right to decide to whom, when, and what extent their private individually identifiable health information is disclosed. This information includes but is not limited to medical diagnosis, treatment plans, prescriptions, health insurance information, genetic information, clinical research records, and mental health records.
For patients, a lack of privacy could lead to personal embarrassment, public humiliation, and discrimination.
Responsibility for Protecting Patient Privacy:
Physicians and other health care professionals who work with patients and their confidential medical records must adhere to the policies, procedures, and laws designed to protect patient privacy and confidentiality. All healthcare providers have a responsibility to keep their staff trained and informed regarding HIPAA compliance. Whether intentional or accidental, unauthorized disclosure of PHI is considered a violation of HIPAA.
Remind your staff each meeting about the importance of avoiding disclosure of information through routine conversation; discussing patient information in waiting areas, hallways or elevators; proper disposal of PHI; and access to information be strictly limited to employees whose jobs require that information.
Precautions to Protect Patient Privacy:
There are a number of precautions that health care professionals and facilities must take to prevent accidental or intentional disclosure of protected health information.
- Proper Disposal of PHI: Proper disposal of protected health information (PHI) and other confidential information whether paper or electronic format is a requirement of HIPAA. Paper PHI should never be thrown in the regular trash. Placing PHI in trash bins or dumpsters is not a secure method of disposing of PHI. Electronic PHI is less likely to require disposal. However, if your office uses any type of removable or portable electronic media such as floppy disks, CDs or flash drives, be sure to erase, delete, or reformat any information that is no longer needed.
- Proper Disclosure of PHI: Disclosures made regarding a patient’s protected health information (PHI) without their authorization is considered a violation of the Privacy Rule under HIPAA. Most privacy breaches are not due to malicious intent but are accidental or negligent on the part of the organization. Reasonable safeguards must be taken to minimize the risk of an incidental use or disclosure of PHI. This means that information may be used or disclosed as a result of another use or disclosure.
The HIPAA Privacy Rule details information on how protected information can be used and disclosed and what information is considered PHI. It also identifies the role providers have in informing patients of their privacy rights. The main objective of the notice of privacy practices is to notify patients of their rights and how to exercise those rights.
Technology and Privacy:
There are a number of available technologies designed to secure patient data. Be selective in choosing devices and software that secure data over a wireless connection including firewalls, anti-virus, anti-spyware, and intrusion detection technology. Use extreme caution when accessing data over a remote connection. IT specialists suggest using a two-factor authentication system with security tokens and passwords.
Developing a Medical Office Privacy Policy:
HIPAA laws require the designation of a privacy officer to be responsible for the development and implementation of HIPAA compliance policies and procedures. When developing a privacy policy:
- Develop a formal security management process including the development of policies and procedures, internal audits, contingency plan and other safeguards to ensure compliance by medical office staff.
- Develop policies for verifying access authorizations, equipment control, and handling visitors.
- Develop and provide documentation including instructions on how your medical office can help to protect PHI (for example, logging off the computer before leaving it unattended.
- Creating a social media policy for medical office staff establishes guidelines to protect patient privacy and prevents the violation of HIPAA Privacy Rules.