What is my name? I bet the folks sitting in the waiting room at my doctor’s office can tell you my name, my date of birth, my telephone number and address, and my insurance coverage, among other things. When the receptionist called my name, I stood at the counter and she proceeded to ask me for my date of birth, my telephone number, my address, confirmed physician of record, my insurance coverage, and the reason for my visit.
Was she guilty of “monkey business?”
Wait! What?!… What is “monkey business” you ask? It’s illegal or dishonest behavior. It can also include mischief, pranks, shenanigans, or the like. But for the purposes of this blog, “monkey business” is illegal behavior.
The U.S. Department of Health and Human Services (HSS) issued the Privacy Rule outlining the use and disclosure of an individual’s health information by health care providers and other covered entities. The Privacy Rule also provides standards for an individual’s privacy rights.
The Privacy Rule applies to all Protected Health Information (PHI) and Personally Identifiable Information (PII) in all forms including electronic, written, oral, and any other mode of communications. Privacy coverage of oral or verbalized PHI or PII ensures that the information is protected when discussed or read aloud from a computer screen or paper document. As health care providers, we must provide the highest level of protection of the privileged information we encounter.
What is PII?
PII is information that, when used alone or with other relevant information, can identify an individual. Below are some HIPAA personally identifiable information identifiers. This is not an all-inclusive list:
Protecting PHI and PII
The first step in protecting this information is to be aware of who is able to hear discussions. Know your surroundings and who can hear what you are saying. Ensure you are discussing information that is on a need-to-know basis with co-workers. Avoid gossiping or talking with co-workers about patients. Your co-worker may not need to know the information you are sharing, and when gossiping or talking, you risk sharing information that violates the Privacy Rule.
Your workspace or workstation is a haven of PHI and PII. Protect that area with highest regard. Avoid using your work device (laptop, tablet, etc.) for personal use. Personal online banking, social media, and non-work-related websites open you up for HIPAA breaches, not to mention those darn scammers! Work devices are for work-related activities only and not your personal use.
Close or lock your screen on your laptop or tablet when walking away from it. Shred or destroy PHI; do not throw documents in the trash. Check printers, fax machines, and copier machines often to retrieve documents. Do not leave hard copies of PHI on your desk/workstation. Lock up laptops and tablets and any PHI documents before leaving for the day.
NEVER text patient names or initials using your personal cell phone. Text messages are not secure. Gmail, Hotmail, Yahoo, AOL, and other email domains are not secure either, so avoid sending PHI and PII utilizing personal email addresses.
Let’s revisit my question from the beginning of this post: Was the receptionist guilty of “monkey business?” If you said, “yes”, you are correct! Why? Because she verbally shared not only my PHI, but she also shared, for the entire waiting room to hear, my PII.
Avoid “monkey business” during your workday. Our patients count on us to keep their information private and secure!