Q&A: Protected health information visible on paperwork

Q. I'm working as a hospitalist. Recently we were told by our administration to provide updated information to all admitted patients who can participate in the HCAP survey. The updated info will be written on a medical form that has the physician's name, the patient’s name, diagnosis, tests ordered, and discharge planning. We have to fill out those forms and give them to the patients when we see them during rounds. We are being asked to do this either daily or every other day. My question is, if a patient accidentally puts the paperwork in the trash or on the table, and the information on the paperwork is visible to other patients or family members, is it a HIPAA violation?

A. If a patient leaves his or her own PHI in the trash or on a table or counter and the PHI is viewed by an unauthorized individual, that’s not a HIPAA violation. However, it may be a breach of unsecured PHI. You can’t control what a patient does with his or her PHI, but you and other hospital staff need to be observant. If a member of the staff sees PHI on paper left out where an unauthorized individual could see it or pull it out of the trash, the staffer needs to properly dispose of the PHI.

There is always the possibility that patients will leave their PHI where others can access it. For example, a patient could dispose of his or her PHI in the trash outside of the hospital where it can be retrieved by an unauthorized individual. That would likely not be a breach because once the PHI is in the patient’s hands, the privacy and security of the PHI is the patient’s own liability. A similar situation would be if you sent a patient a copy of his or her designated record set (DRS), then the patient left it in the open after reading it. In short, a patient leaving his or her PHI where others can view it is not a HIPAA violation.

Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.