HIPAA regulations state that when using or disclosing PHI (protected health information) or when requesting PHI from another covered entity (a doctor’s office, dental practice, etc), a covered entity must make reasonable efforts to limit PHI, to the minimum necessary, to accomplish the intended purpose of the use, disclosure or request.
So how do we accomplish the goal of limiting our PHI access and requests to the minimum necessary level? We look at three basic areas: levels of access to PHI, requesting PHI, and sending PHI.
Giving employees specific levels of access to PHI
Each employee should have just enough access to your medical record system to do their job. For instance, an employee who only answers the phone and sets appointments doesn’t generally need access to medical histories, x-rays, and other specific medical information. Therefore, their level of access to your practice software should be limited to seeing the schedule and creating or changing appointments. Alternatively, an employee who only treats patients and never handles billing information should not have access to credit card numbers, health insurance plan ID numbers, or other financial information in your systems.
It may seem easier to just give everyone access to everything. However, consider the consequences of taking that shortcut. If any one of your employees’ software login were to be leaked or guessed by an outside individual, that person would have access to every single piece of information in your records system. A breach like that could cost hundreds of thousands of dollars in fines, costs to notify patients, and credit monitoring fees for affected patients.
Requesting specific amounts of PHI from others
Many practices depend on patient referrals from outside practices. When taking these referrals, often medical information is sent over either electronically or via mail. When working with an outside practice, you should only ever request the minimum amount of PHI to perform the care you have been tasked with. If a patient is coming to you for a specific procedure like a root canal or a surgical procedure, it may be tempting to ask for the entire history of care from the outside practice. However, you’ll likely only need the recent x-rays and other information pertinent to that patient’s current ailment. Limiting the amount of PHI you ask for limits your liability in a situation where a medical record was breached in transit. If PHI gets lost in the mail, that is considered a breach. Accordingly, the more information contained therein, the higher the possible fine from the Office for Civil Rights in the event of a breach.
Sending specific amounts of PHI to others when requested
Most practices refer patients to specialists when a patient needs a procedure outside of the practice’s area of expertise. When doing so, the outside specialist will likely request information about the patient: x-rays, medical histories, insurance information, etc. Therefore, it is important that you and your employees understand the difference between a routine request for information and a non-routine request for information. A routine request for information is the type of request you see all the time. The request is for the right amount of information for the third party specialist to perform their procedure. And the request shouldn’t make you question why they are asking for that specific information.
Alternatively, there are non-routine requests for information. These requests may be for entire medical histories or a specific piece of information you’ve never been asked for. Or the request may be because of an unusual referral situation your practice doesn’t see very often. In these situations, your employees should take a moment to ensure that all of the information requested is really necessary to perform the procedure or care for the patient effectively. Furthermore, if your employee doesn’t agree with the magnitude of the request, they should communicate with the third party and ensure that a particular piece of information is really needed. Only if the third party can give you a compelling reason for needing the information should you make the exception and send it to them.
J.J. Micro’s PracticeProtect platform helps your organization understand and follow HIPAA regulations like minimum access to PHI. Give us a call today at 636-556-0009 to schedule a free risk assessment.