Access patient information only for legitimate business reasons

The Health Insurance Portability and Accountability Act (HIPAA), state laws, and our policies prohibit unauthorized access to protected health information (PHI). This means that unless you have a legitimate business reason to access a patient’s record, you should not access, use, or disclose it. This includes records of:

  • family and friends
  • significant others or exes
  • neighbors
  • celebrities and politicians


Access must be the minimum necessary

Even when interacting with PHI for a business reason, you should access, use, or disclose only the minimum necessary to accomplish the task you are trying to accomplish.

  • A billing clerk may need to know that a particular test was performed, but not the results of the test.
  • When making an appointment, a scheduler may need to look at when the previous appointment was, but not the patient’s entire schedule history.
  • A provider may need to access a patient’s family history in the patient’s record, but should not go into the actual records of the family members.


Auditing and monitoring

Our organization takes patient privacy seriously and proactively audits and monitors our employees’ access to patient records. You may be asked to explain your activity; failure to provide a valid explanation may result in disciplinary action.

We are legally required to investigate suspected inappropriate access. Furthermore, we will report privacy breaches to patients and government authorities. Penalties Inappropriate access, use, or disclosure of PHI can lead to penalties from various sources:

  • Federal law: up to and including $250,000 and imprisonment for 10 years
  • State law: California, for instance, provides that individuals can be fined $25,000 to $250,000
  • Employment: up to and including loss of privileges and termination


The penalties are real . . . and serious

Image: HIPAA Penalties

Content provided by Beazley Group | Beazley Breach Solutions

Print Friendly, PDF & Email