Under Title II of HIPAA, Congress passed the Administrative Simplification provisions of HIPAA, to protect the privacy and security of protected health information (PHI), and to promote efficiency in the healthcare industry through the use of standardized electronic transactions.
With the exception of certain types of information, we may use and disclose PHI for treatment, payment and business operations if we have provided patients with a Notice of Privacy Practices and the patient has acknowledged receipt of this information.
As a general rule, we must take reasonable steps to limit the PHI that we use and disclose, or that we request from others, to the minimum amount necessary to accomplish the purpose of the use, disclosure, or request.
The following points will serve as a reminder of employees’ obligations to protect the privacy and security of patients’ protected health information as stated in the Baptist Health Employee Handbook and in Policy No. 4.10, “HIPAA Basic Workforce Responsibilities” (include link to policy) that employees sign and attest to during Orientation and annual re-training.
- Protected health information includes patients’ personal, medical, and financial information.
- Protected health information is valuable and sensitive and is protected by law and Baptist Health policies.
- Employees are to access, use and disclose protected health information only as permitted by Baptist policies, e.g., for work-related reasons.
- Employees must make reasonable efforts to limit protected health information used, disclosed or requested to the minimum amount of information necessary to perform a task unless for treatment, payment, or healthcare operation purposes.
- All information concerning patients must be held in strict confidence and must not be discussed with anyone other than those employees who need the information in the performance of job duties. This also includes any protected health information that may be used for training purposes.
- If employees are the unintended recipients of protected health information via fax, email or mail, they should contact the sender so that a decision can be made whether to return, delete or destroy the information.
- Employees have the duty to report all privacy incidents such as breaches, loss of devices/equipment, etc. to their supervisor, the privacy officer, the information security officer or the chief corporate compliance officer. They can also call the Ethics Hotline at (800) 621-5966. This hotline is managed and staffed by an independent third party vendor and available 24 hours a day.