In the last post, we saw how the HIPAA Security Rule’s administrative, physical, and technical safeguards help defend your organization against the hydra of security threats. Now, we’ll turn our attention to privacy safeguards.
You know the HIPAA Privacy Rule requires you to keep patients’ protected health information (PHI) private. But it’s easier said than done. Some practices go over-the-top to protect patient privacy. Others don’t do enough. To clear up some grey areas, this post will answer eight questions about privacy safeguards.
Q: What is the purpose of safeguards under the HIPAA Privacy Rule?
A: Privacy safeguards help you prevent uses and disclosures of PHI that violate the Privacy Rule. They should also limit incidental disclosures. There isn’t a single set of safeguards that will work for every organization. Therefore, you can use safeguards that are reasonable and appropriate for your organization. Nevertheless, in every case, you should apply the minimum necessary standard.
Q: What is the HIPAA “minimum necessary” standard?
A: This standard means that staff members should only use and disclose the PHI necessary to conduct their duties, such as patient care, billing, or other operations. Staff should only have access to the smallest amount of information they need to carry out their job.
READ MORE: When Can I Disclose PHI?
Q: Are you allowed to page for a patient using overhead speakers?
A: Yes. However, use the minimum necessary information to communicate with the patient. For example, you can use the overhead speaker to ask the patient to go to the front desk where they can talk in private.
Q: Do staff have to lower their voices at an emergency room desk to prevent others from hearing?
A: No. Staff may speak at a volumne such that they don’t jeopardize patient safety by speaking too quietly. The rule anticipates and allows incidental disclosures in an emergency room. Nevertheless, staff should use the minimum necessary standard.
Q: Does the Privacy Rule allow patients to share a room in a hospital?
A: Yes. Incidental disclosures are inevitable in a shared room that’s only divided by a curtain. Nonetheless, staff should limit how much others overhear by speaking clearly yet quietly.
Q: Are patient medical charts allowed on the outside door of exam rooms?
A: Yes. Staff can leave patient charts on the outside door of exam rooms, as it helps with patient care. However, they should keep it from the public’s view. Privacy safeguards include turning the charts to face the door, restricting access to exam room areas, and escorting visitors.
Q: Do you need to have signs to identify restricted entry areas?
A: No. Signs aren’t required. Nevertheless, they may be a reasonable privacy safeguard to keep visitors out of restricted areas. When possible, you should also monitor and protect patient areas with a lock or other access-control mechanism.
Q: May healthcare providers’ offices or pharmacists leave messages for patients on their voicemail or with family members?
A: Yes. However, leave only the minimum necessary information on an answering machine, such as a name and number to call back. Additionally, you may disclose some information to family members who answer the phone when the patient isn’t home. In both cases, the caller should use their best judgment about what information to leave. Additionally, patients can request confidential communication to have messages delivered another way. If the request is reasonable, you must accommodate.
These are only a few questions about privacy safeguards under the HIPAA Privacy Rule. Before you get lost in the details, remember that the purpose is to protect patient privacy. Furthermore, the Privacy Rule allows you to use measures that are reasonable and appropriate for your organization.
HIPAAtrek helps you manage your HIPAA compliance program from a single intuitive platform. Keep patient privacy top of mind with team training, policies and procedures, and automatic gap analysis. Request a demo or contact us to learn more.