Text size: A A A

HIPAA Privacy Regulations

The federal government passed comprehensive privacy regulations to protect individually identifiable health information, known as protected health information or “PHI." The privacy regulations are part of the Health Insurance Portability and Accountability Act (HIPAA) that became effective April, 2003.

Some aspects of the rule give specific instructions as to what can and cannot be communicated regarding patient information, while other areas of the rule give facilities the ability to establish “reasonable” procedures to protect patient privacy.

Key Elements

The privacy rule governs the ability to use and disclose PHI in any form (electronic, paper, orally)
Covered entities can use or disclose PHI:

  • To the individual
  • For treatment, payment, or health care operations
  • For treatment activities of a health care provider

Incidental disclosures are permitted (patient’s roommate overhears conversation between patient and nurse) as long as “reasonable” measures are taken to prevent this type of disclosure (pull the curtain in the room)

Minimum Necessary should be your guide. The privacy rule states that a covered entity must make reasonable efforts not to use or disclose more than the minimum amount of PHI necessary to accomplish the intended purpose, use, or disclosure. This means that you only access the information you need to do your job. For example, a health care worker does not need access to the entire medical record if he/she only needs the information on the face sheet to do the job. In another example, the entire medical record is not sent to a requestor who really only needs the discharge summary for the purpose of their request.

Just because you have access to information, does not mean you should access that information. It is against our organizational policies to access your patient information or that of a family member. (ie: looking up your own records in Affinity or Cerner) If you need access to this type of information, contact Health Information Management and we can assist you in obtaining the appropriate authorizations.

Patient Rights

Patients have a number of rights regarding their PHI:

  • To authorize the use and disclosure of PHI
  • To inspect and receive a copy of their own PHI
  • To receive an accounting of certain PHI disclosures
  • To request an amendment of their PHI
  • To file a complaint about alleged violations
  • To request restrictions on use and disclosure of PHI
  • To request communications of PHI be by alternative means or at alternative locations
  • To receive a notice of privacy practices


Protecting patient privacy requires the efforts of all staff.

  • Only access confidential information if you have a “need to know” to do your job
  • Do not discuss patient information in public areas (elevators, cafeteria, etc)
  • Dispose of confidential patient information in designated “shredding” containers
  • Refer privacy related questions or concerns to your supervisor or Jill Bustin (x4355)

HIPAA Security Regulations

The federal government has passed a comprehensive set of HIPAA regulations that deal with the protection of patient health information. Two parts of the HIPAA regulation are the Privacy Regulations and the Security Regulations. The HIPAA security regulations that went into effect on April 20, 2005, deal with securing the patient Protected Health Information (PHI) while it is stored in an electronic format.

This Electronic Protected Health Information (EPHI) could be stored on computer systems or other forms of electronic media such as CD’s, memory sticks, hard drives, e-mail as well as portable devices such as laptop computers or PDA’s and must be secured to assure privacy. The following is a list of things you should understand to help protect of this information.

Protected Health Information (PHI)

Protected Health Information includes any information created or received by a covered entity that relates to:

  • The health or condition of an individual
  • Any health care provided to an individual
  • Any billing or financial information for health care
  • Any information that identifies an individual or provides a way to identify an individual (i.e. social security number, name, e-mail address, street address, etc.)

Computer Security

  • Always lock you workstations or log out of the system when walking away from your work area. This will help prevent others from accessing Protected Health Information.
  • NEVER give anyone your login ID or password.
  • NEVER allow anyone to access your computer while you are logged into the network. Your login ID is your identity on our network. Access to PHI is audited by your login ID.
  • Keep your computer screen turned away from others while accessing PHI so they cannot read over your shoulder.

Electronic File Storage

  • Do not download PHI information to other forms of electronic media such as CD’s, memory sticks, laptop computers, etc. without pre-authorization from the IT Department.
  • NEVER download PHI information onto your personal computer.

E-Mail containing PHI

Any e-mail that contains PHI is REQUIRED to be encrypted. You can encrypt e-mail messages by clicking on the “Encrypt ZixSelect” button in your Outlook e-mail.

Auditing Access to PHI

  • You should only access the patient information you need to perform your job duties.
  • The IT department will be performing periodic audits of access to PHI.

Incident Reporting Process

If you are aware of any HIPAA violations or suspicious activity, you are responsible to report it to one of the following people:

Jeff Burns – Security Officer (x4209)
Jill Bustin – Privacy Officer (x4355)
Compliance Hotline – (616.356.1891)

© 2015 Mary Free Bed Rehabilitation Hospital., Grand Rapids, MI | 1.855.MFB.REHAB
Powered by Kentico CMS