Within a busy medical transcription service organization, individually and collectively, we “handle” a lot of protected health information (PHI) in many different ways for our clients and the patients who entrust us all. Without occasional reminders related to the importance of securing PHI and being alert to potential risks for breach, it would be easy to become complacent while performing your daily routines. Let’s take a moment to get a short refresher on ways we all can be HIPAA smart!
Here are just a few examples as to how you can make a positive impact by protecting PHI:
1. Faxing of reports is often required by clients, but the technology is unsecure for PHI; therefore, it is imperative that the information gets to its intended recipient. When it does not, we have procedures to follow to report this to the client, and when deemed necessary, to the patient as well. So while faxing may seem to be a very common process, it should never be taken for granted.
- Keying in the fax number accurately is critical, so do so carefully.
- If the fax number is dictated, please verify the numbers provided by re- listening to the dictation. If there is any doubt, flag it for verification.
- When sending a fax to a new number, use a fax test sheet that would require the recipient to respond before sending any PHI.
2. Sample reports need to be de-identified. This also applies to portions of reports that are used for testing, training, QA reviews, and MT/editor feedback. Be sure that these reports have had all individually identifiable elements reports removed from them before saving them on your computer as samples. For a full list of these PHI elements, see below in the appendix section. Even if you believe that your samples are secured in your home office or on your PC, unless they are encrypted, they are not fully protected from potential breach.
3. Email and Instant Messaging. Do not include PHI within the body of an IM, an email or its reference line. Unless you are using an encrypted email service, emails and IMs are an unprotected technology. If you need to communicate any PHI via email, only use the job number or document ID to identify the patient. When this is inadequate for communication, call the intended recipient to discuss the issue.
4. Be proactive. We recognize that the human factor is critical to the success of our company in the service we provide as well as in the compliance we achieve. If you have suggestions for improving the protection of patient information, we would like to hear from you.If you have any questions related to this HIPAA Smart reminder, contact your supervisor for answers!
Remember, compliance is everyone’s job!
Appendix: Individually identifiable elements as provided by HIPAA include:
· Geographic subdivision
· Dates, except year
· Phone number
· Fax number
· E-mail address
· Web URLs
· IP (internet protocol) address
· Social Security number
· Medical record number
· Health plan number
· Account number
· Driving certificate/license number
· Vehicle identifiers/registration number
· Biometric identifiers
· Photographic images (that could identify an individual)
· Medical device identifiers
· Other unique identifier (something so specific that the individual could be potentially identified).