College of Medicine

If you have such records…

...then be aware that moving and storage warehouses, mini-storage facilities, and off-campus personal or rental property of staff members, including garages, homes, mobile homes, trailers, etc., are not acceptable for storage of records containing protected health information.

Storage Areas for Inactive Records that contain PHI must be physically secure and environmentally controlled, to protect the records from unauthorized access and damage or loss from temperature fluctuations, fire, water damage, pests, and other hazards. Approved storage areas include:

• a. An area inside the clinic or department that meets the criteria above, or
• b. A professional record storage company.

The University of Florida has negotiated a special contract with a local vendor for secure storage of records and other materials. Call the Privacy Office at 352-273-5096 and speak to Everall Peele if you have questions about storage of records.

Individually identifiable health information has a two-part definition:
1. Information about an individual's past, present or future physical or mental health, the provision of health care for the individual, or the payment for health care for the individual, and
2. The information identifies the patient or could reasonably be expected to identify the patient.

Simply put, PHI is any information that allows you to link a person with their health condition.

For this reason, PHI is seldom just one piece of data: it usually takes two or more pieces of data to qualify as PHI. For example, a person's name by itself is not PHI; however, the person's name in a physician's appointment listing is PHI. Also, a diagnosis by itself is not PHI, but the diagnosis along with a clinic visit date is PHI.

The federal government has defined 18 identifiers, any one of which, if present, will cause health information to be considered PHI. These include the following as they relate :
Names not only the patient's name, but to the patient's family or household members, employers, and health care providers
Dates (except year), including birth, death, admission, discharge, clinic dates of service, etc.
Numbers: medical record, account, Social Security, device serial #, certificate/licensure, telephone, VIN, etc.
Addresses: geographic subdivisions smaller than a state (i.e., city, county, zip), URLs, IP address numbers, and email addresses
Graphics: photographs, video recordings, voice prints, finger prints

Remember, PHI is not just in medical records!

Electronic resources, both e-mail and web-based self-help documents can result in substantial cost savings to clinics and physicians' practices. To avoid unwanted email communications and sticky medicolegal issues, providers should periodically remind themselves and their patients about the following guidelines:

Appropriate Use of E-mail Correspondence: Remind patients that e-mail correspondence should not be used for emergencies or time-sensitive issues. Tell patients when to escalate their concerns to phone calls or office visits. Also remind patients that emails will be printed and included in their medical records.

Clear Patient and Subject Identification: Patients must clearly identify the subject of the email in the subject line (prescription refill, billing question, test results, appointment, etc.) and themselves in the body of the e-mail, using a pre-determined identification method. They should be instructed to not include their Social Security Numbers in health-related e-mails.

Appropriate Content: Highly sensitive or personal information should not be communicated by e-mail (i.e., HIV status, mental illness, chemical dependency, and workers compensation issues.) All parties should also be encouraged to avoid anger, sarcasm, harsh criticism, and libelous references to third parties in their messages.

Loss and Misdirection: Double-check that address line before hitting "send" every time. Include a message from time to time about the potential for loss and misdirection based on the nature of the technology.

Updated: 11/16/2006

REASON:

(updated 1/12/06)

HIPAA regulations (and common sense) require security safeguards for PHI (protected health information). The most obvious safeguard is to destroy documents (that are no longer needed and that don't have to be retained) in such a way that the information cannot be retrieved from them. Shred paper documents that contain PHI, preferably in a cross-cut shredder rather than a strip shredder. Because UF has a recycling policy, placing intact PHI materials in recycling containers is also an approved paper document disposal method. Containers must be closed and locked or, if open, located in a locked room or an area that is monitored by UF staff.

Removing PHI from computers is a much more complex process than just deleting files, emptying an electronic "recycle bin", or even reformatting an entire disk. Removable media (discs, cd's, tapes, and other recording media) should be completed destroyed by cutting, shredding, crushing, defacing or dismantling so that no information can be retrieved or reconstructed. "Sanitizing" a hard-drive requires special equipment and programs; it may be easier and cheaper to remove and physically destroy the hard drive before a computer is sold, donated or disposed of.

Look for additional security guidelines at the following site: HSC Information Security Policies and Standards including:

1. Guidelines for the disposition of electronic PHI or hardware used to store PHI;
2. Guidelines for removal of electronic PHI from electronic media before the media are made available for re-use.

Emancipated Minors do not need parental consent for any medical care. Their PHI is confidential and must not be released to anyone, even parents or guardians, without the patient's consent.

An Emancipated Minor is a person under the age of 18 who:

1. Is female, unmarried, and has a minor child, or
2. is married, or
3. is enlisted in military service, or
4. has been declared emancipated by court order.

An unmarried minor female who is pregnant may consent to medical care and treatment relating to her pregnancy. PHI about the pregnancy and any treatment related to it may not be released to anyone without the patient's authorization.

Unemancipated Minors must have the consent of their personal representative for non-emergency medical care. Personal representatives include natural or adoptive parents, legal custodians or guardians, or a person acting as the minor's parent. The personal representative may have access to the minor children's records in these cases, UNLESS they have agreed in advance to a confidential status between the child and the health care provider. That is, if a health care provider asks a personal representative to step out so that the provider may talk confidentially to the minor patient, the representative is, in effect, agreeing to a confidential relationship between the child and the provider, and may only know what the conversation was about if the child authorizes it.

NOTE: The health care provider is expected to use professional judgment in these situations and consider the patient's best interests when deciding whether to share confidential information with a personal representative.

There are other medical situations where minors do not need parental consent for medical care, and in those cases, the PHI related to that medical care could only be shared with parents with the minor patient's authorization:

1. Medical examination and testing for STDs (including HIV)
2. Voluntary admission into a substance abuse facility
3. Blood donations
4. Emancipated minors (see above)
5. Outpatient mental health diagnostic / evaluation services (over age 13)
6. Outpatient crisis intervention therapy / counseling services (over age 13)

(All of these rules are based on Florida State laws, which "preempt" HIPAA rules in these cases, because they give more privacy rights and protections to the patient. See Florida Statutes 384, 394, and 397 for more details.)

Folding and stapling or taping a report closed to send through campus mail is convenient and easy, but what if that particular report goes astray?

A recent glitch sent a patient report, which had been simply folded and stapled, through several unintended offices before it reached its destination. On the way, the staple came out and the report was just too easy to read by those who did not have a professional need to know the patient's PHI. An anonymous tip to the Privacy Office alerted us to the problem.

If you receive PHI documents in error, always send them back to the point of origin, if possible. If a return address is missing, forward the materials (with an explanatory note) to the Privacy Office.

Stamping an envelope "Confidential" makes it more vulnerable to curiosity - stamp the document inside the envelope instead.

ANSWER

(updated 1/12/06

Yes, it is true - within certain guidelines. You do not need authorization from the patient to send protected health information from one health care provider to another, as long as it is for treatment purposes. The Privacy Regulation specifically states that a covered entity “is permitted to use or disclose protected health information” for “treatment, payment, or health care operations,” without patient consent; however, Florida Statutes require the patient's permission to use or disclose PHI for payment purposes. Such permission is usually obtained within the Consent for Treatment.

Unfortunately, providers outside of the UF/Shands health care system have been harder to convince concerning this new aspect of the regulation, and continue to ask for authorizations before they will share information. They should be reminded that they are hindering the delivery of quality health care, if they are insisting on unnecessary processes.

Keep in mind that authorizations are still required for records containing information about sexually transmitted diseases, HIV/AIDS, mental health, substance abuse, and genetic conditions. You may obtain a copy of the UF Authorization to Use and Disclose Protected Health Information here.

No, It is not OK to change UF’s Authorization to Use or Disclose Protected Health Information. The form was designed for both releasing information and for requesting information, when necessary. And it was designed to specifically include the “six required elements” and the “three required statements” prescribed by the federal Privacy Rule. The form also provides spaces for verifying the identity and authority of persons authorizing the use or disclosure, another process required by the federal regulations. Click here to view an abridged version of the portion of the federal regulations dealing with authorizations (§ 164.508).

Clinics and other health care providers should keep in mind that authorizations should not be needed that often, as both the federal government and UF policy state that protected health information may be used and disclosed (without the patient’s written authorization) for treatment, payment, and health care operations purposes. Click here to view the portions of the federal regulations dealing with permitted uses and disclosures (§ 164.502 and § 164.506). Florida State statutes require the patient's authorization to use or disclose PHI for payment purposes; this is usually obtained along with the consent to treat the patient.

If you would like to view answers provided by the Office of Civil Rights to questions about Authorizations, click here. Enter “authorization” in the Search Text box.

ANSWER

(updated 4/26/05)

“ Hello, this is Jane Smith from Dr. XYZ’s office (or "the XYZ clinic"), confirming your appointment for April 30th at 2:30 PM. If you need to change this or if you have any questions, please call me at xxx-xxxx.”

Never include test results, lab results, the names of diagnoses or specific procedures, or names of medications in answering machine messages, unless you have the patient's documented authorization to do so. The documentation may be in the form of an authorization form signed by the patient, or the written notes of a verbal conversation with the patient. An authorization is preferred.

Be sure to ask the patient during your first face-to-face or verbal contact if it’s all right to leave a more detailed message regarding appointments on their answering machine. If the patient agrees, then more information may be recorded. If the patient does not agree, then work out a different method to communicate with the patient at that time.

Finally, there are always emergency situations that arise which may require leaving more information on an answering machine than has been advised above. In these cases, use professional judgment, considering the patient's best interests as well as their privacy rights, and document the decision and the reasoning in the patient's medical record.