Even when using protected health information for treatment purposes, HIPAA requires us to use the minimum amount of information required to accomplish the intended purpose. Safety and patient care comes first, but we need to distinguish the difference between need-to-know and right-to-know.
You may feel that you have a right to know this information, but HIPAA only allows access to PHI based on what you need to know to treat patients. If you are not the treating provider, stop and think before you access the record.
Here’s a key question to ask when dealing with PHI. Pause and ask yourself, “What hat am I wearing?” We often have many roles, so our ability to use and disclose PHI depends on our role at the time. For example, if you’re on a nursing unit and you notice a friend has been admitted, stop and think, “Am I working in my role as a member of the care team? Or am I here as a friend?” We can only access and share PHI with the need to know for our job roles. Accessing PHI for a friend is a HIPAA violation, and may lead to corrective action, up to termination.
Another example would be if you act as a member of a committee or an interdisciplinary team. As a team member, you may discover confidential information you are dealing with in your home department or clinic. This is a good time to stop and think, “What role am I in? Am I acting as a committee member?” If so, then it’s important to leave confidential information at your home department or clinic. The committee may not have a need to know.
Questions? We’re here to help. Call or email Ellen Hampton, Director of Corporate Integrity, Safety and Risk Management at 503-561-2494 or Sue Xiong, Corporate Integrity Analyst and Supervisor at 503-814-2826, or stop by our office at Building B, 2nd floor, south hallway.