Statement of Privacy Laws and RRMC Policy

It is the legal and ethical responsibility of all RRMC staff, MFC therapists trainees, volunteers, and contractors to use, protect, and preserve personal and confidential patient, employee, and Recovery Road Medical Clinic (RRMC) business information, including medical information for clinical or research purposes (referred to here collectively as “confidential information”), in accordance with state and federal laws and RRMC policy.

Laws controlling the privacy of, access to, and maintenance of confidential information include, but are not limited to, the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), the California Information Practices Act (IPA), the California Confidentiality of Medical Information Act (CMIA), and the Lanterman-Petris-Short Act (LPS). These and other laws apply whether the information is held in electronic or any other format and whether the information is used or disclosed orally, in writing or electronically.

RRMC policies that control the way confidential information is managed are described here and may appear in other such documents as our Employee Handbook or memos and instructions issued from time to time.

Business and employee information includes information that identifies or describes an individual, the unauthorized disclosure of which would constitute an unwarranted invasion of personal privacy. Examples of confidential employee and RRMC business information include home address and telephone number; medical information; birth date; citizenship; social security number; spouse/partner/relative’s names; income tax withholding data; performance evaluations; proprietary/trade secret information; and peer review/risk management information and activities.

Medical information includes the following no matter where it is stored and no matter the format: medical and psychiatric records, photos, videotapes, diagnostic and therapeutic reports, x-rays, scans, laboratory and pathology samples, patient business records, such as bills for service or insurance information, visual observation of patients receiving medical care or accessing services, and verbal information provided by or about a patient. Medical information, including Protected Health Information (PHI), is maintained to serve the patient, health care providers, health care research and to conform to regulatory requirements.

Unauthorized use, disclosure, or viewing of, or access to, confidential information in violation of state and/or federal laws may result in personal fines, civil liability, licensure sanctions and/or criminal sanctions, in addition to RRMC disciplinary actions, including termination of employment.



The designated Privacy Officer at RRMC is Joe Frawley, MD. The Privacy Officer will be responsible for promulgation and management of all RRMC information privacy policies and practices.



Overview: Privacy and Confidentiality

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), is a federal law which, in part, protects the privacy of individually identifiable patient information and provides for the electronic and physical security of health and patient medical information, and simplifies billing and other electronic transactions through the use of standard transactions and code sets (billing codes). HIPAA applies to all “covered entities” such as hospitals, physicians and other providers and health plans as well as their employees and other members of the covered entities’ workforce.

Privacy and security are addressed separately in HIPAA under two distinct rules, the Privacy Rule and the Security Rule.

The Privacy Rule sets the standards for how all protected health information should be controlled. Privacy standards define what information must be protected, who is authorized to access, use or disclose this information, what processes must be in place to control the access, use, and disclosure of information, and to ensure patient privacy rights.

The Security Rule defines the standards that require covered entities to implement basic security safeguards to protect electronic protected health information (ePHI). Security is the ability to control access and protect electronic information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction, or loss. The standards include administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of ePHI.


PRIVACY RULES Purpose of Privacy Rule

To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information;


Highlights of Privacy Rule

The Privacy Rule requires that access to ​protected health information (PHI), ​which includes electronic PHI (ePHI), by RRMC staff, trainees, volunteers and contractors be based on the general principles of “need to know” and “minimum necessary,” in which access is limited to the patient information needed to perform a job function.

The HIPAA Privacy Rule also accords certain rights to patients, such as:

  • Right to request access to their own health records
  • Right to request an amendment of information in their records
  • Right to receive an accounting of disclosure of their information

Potential Consequences of Violating the Privacy Rule

The Privacy Rule imposes penalties for non-compliance and for breaches of privacy which range from $100 to $50,000 per violation, in addition to costs and attorneys’ fees, depending on the type of violation. Penalties include fines up to a maximum of $1,500,000 per event potential for civil lawsuits, the potential for misdemeanor charges, and reporting the violation to license boards for individuals.

Workforce Requirements

All staff, trainees, vendors, volunteers, and contractors are required to review this policy and sign the Confidentiality Statement. The signed document needs to be stored in a centralized area in the department for a minimum of six years after the last date of service.

Additional documents may be required depending on the amount of contact with patients or protected health information. For guidance, please contact one of the Medical Directors.

Confidential Protected Health Information: Definition and Rights to Access

What is considered confidential protected health information (PHI)?

PHI is individually identifiable health information that can be matched with a patient, is created in the process of caring for the patient, and is transmitted or maintained in an electronic, written, or oral manner. Examples of PHI are: patient name, address, birth date, age, medical record number, number, phone and fax numbers, and email address.

What is not considered PHI?

Health information is not protected health information if it is de-identified. De-identified information may be used without restriction and patient authorization. The de-identification rule states that you can disclose health information after it is no longer PHI because the 18 identifying data elements listed below have been removed.


PHI Data Elements

  1. Names
  2. All geographic subdivisions smaller than a State, except for the initial three digits of the ZIP Code if the geographic unit formed by combining all ZIP Code with the same three initial digits contains more than 20,000 people
  3. All elements of dates, except year, for dates directly related to an individual including birth date, admission date, discharge date, date of death.
  4. Telephone numbers
  5. Fax number
  6. Email addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate or license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voiceprints
  17. Full-face photographs and any comparable images; and
  18. Any other unique, identifying number, characteristic or code, or combination that allows identification of an individual.


What patient information must we protect?

We must protect all PHI which includes items such as medical records, diagnoses, x-rays, photos and images, prescriptions, lab work and test results, billing records, claim data, referral authorizations, and explanation of benefits. Research records of patient care must also be protected. If health-related information is de-identified, it is not PHI and may be shared without restriction. De-identification means the removal of all personal identifiers.


What PHI can be used for research, public health, or health care operations?

A limited data set is a class of PHI that excludes 16 of the 18 identifiers. The limited data set can be used for research, public health or health care operations, as long as the recipient of the data signs a data use agreement with RRMC. Data that can be used in a limited data set are numbers 3 and 18 above.


Who is authorized to access confidential PHI?

Under certain circumstances, PHI may be accessed without patient consent. These are further described in our “Notice of Privacy Practices.” Doctors, nurses, and other licensed providers on the health-care team may access the entire medical record, based on their “need to know.” All other members of the workforce may access only the information needed to do their jobs. Moreover, certain uses for the purpose of ​T​reatment, ​P​ayment, and health care ​O​perations (TPO) are permitted without HIPAA authorizations:

  • Treatment of the patient, including appointment reminders
  • Payment of health care bills (claim submission, authorizations, and payment posting)
  • Health care operations and business operations, including medical staff quality activities, research (when approved by a review board and with a patient’s written permission); health care communications between a patient and their physician.

What is the “Minimum Necessary” Standard?

The minimum necessary standard in the Privacy Rule requires that when a covered entity uses or discloses protected health information or requests protected health information from another covered entity, the covered entity must make reasonable efforts to limit protected health information to that which is reasonably necessary to accomplish the intended purpose of the use, disclosure, or request. You are expected to apply the minimum-necessary standard when you access PHI. For example, although physicians, nurses, and care providers may need to view the entire medical record, a billing clerk would likely only need to see a specific report to determine the billing codes. An admissions staff member may not need to see the medical record at all, only an order form with the admitting diagnosis and identification of the admitting physician. You are permitted to access and use only the minimum patient information necessary to do your own job.

When are patient written authorizations required?
To use or disclose PHI for almost any other reason, you will need to obtain a written authorization from the patient ​prior​ to access or disclosure. The signed authorization must be placed in the patient’s official medical record. Refer to the “Notice of Privacy Practices” for a list of covered exceptions to the authorization requirement related to public policy, certain health disease reporting requirements, and law enforcement activities. If you still have questions, ask one of the Medical Directors for guidance.
What if I see someone violate the privacy law?

  • It is RRMC policy that each of us has a responsibility to prevent unauthorized or unapproved access to, or disclosure of, patient information. Report concerns immediately to one of the Medical Directors.


Medical Record Access and Control

Medical records are maintained for the benefit of the patient, medical staff, and the hospital and shall be available upon request of:

  • treating physicians;
  • non-physicians involved with the patient’s direct care (​i.e.​, Nursing, Pharmacy);
  • any authorized officer, agent, or employee of RRMC or its Medical Staff,
  • RRMC researchers as part of an approved Committee for Human Research (CHR) protocol that involves medical record review;
  • any other person authorized by law to make such a request (​i.e.​, medical examiners, law enforcement, regulatory agencies);
  • patient and/or patient’s authorized representative.

RRMC will maintain ownership of the medical record, and it may be removed from clinic jurisdiction only by:

  • subpoena, ​or
  • court order, ​or
  • Statute

At RRMC, the Privacy Officer is responsible for maintaining control of access to medical records. Medical records are not to be removed from patient care areas except by authorized medical staff.

Patients’ Rights

Patients’ rights under HIPAA are described in the “Notice of Privacy Practices.” The notice is also posted. These rights include:

  • Right to receive a paper copy​ of the “Notice of Privacy Practices,” which informs patients of their rights and how to exercise them. RRMC is required to make this notice available to patients.
  • Right of Access​. Patients may request to inspect their medical record and may request copies.
  • Right to Request an Amendment or Addendum​. The patients may file a request for an amendment or addendum to the medical record.
  • Right to an Accounting of Disclosures​. Patients have the right to receive an accounting of disclosures which documents those disclosures for which the patient has not signed an authorization.
  • Right to Request Restrictions​. Patients have the right to request restrictions on how we will communicate with the patient or release information.
  • Right to Complain​. Patients have the right to complain if they think their privacy rights have been violated.

If a patient requests any of the above, please refer them to one of the Medical Directors.

Exceptions to the PHI Disclosure Rules

Under HIPAA, there are certain exceptions to the PHI disclosure rules and they are described in the “Notice of Privacy Practices.” They include disclosures which are subject to professional judgment, for public health and safety purposes, for government functions, law enforcement and based on a judicial request or subpoena.

PHI may be used for research, fundraising (demographic information only), public information or health care communication, but special rules apply. For guidance refer to the appropriate policies.

If you are unsure whether a request for information is authorized, please check with one of the Medical Directors.


Right to Authorize Release of Patient’s PHI

HIPAA specifies the content of an authorization to disclose PHI. At RRMC, the authorization process is managed by one of the Medical Directors. Written authorization from the patient (or the patient’s personal representative) is required to disclose or access PHI for uses, other than for treatment, payment and/or healthcare operations.

Business Associates

Under HIPAA, a vendor or third party that is exposed to RRMC’s PHI in the performance of its services for RRMC is a “business associate” and is required to enter into a business associate agreement (BAA) with RRMC pursuant to the HIPAA regulations. The BAA sets forth, in part, the obligation of the business associate related to the privacy and security requirements. We have standard agreements for this purpose.

BAAs are required for companies or persons who engage in a function or activity involving the use or disclosure of individually identifiable health information, such as:

  •  claims processing or administration,
  • data analysis, processing or administration,
  • utilization review,
  • quality assurance, billing, benefit management, practice management and re-pricing,
  • Legal, actuarial,
  • Accounting,
  • data aggregation,
  • management

This is not an all-inclusive list. For all vendor or third-party relationships that involve PHI or if you are unsure whether the third-party vendor is subject to HIPAA, please contact one of the Medical Directors.

Clinical and Other Research Involving Human Subjects

Review Board approval is required for all human-subject research including the creation and administration of research data registries and repositories which contain identifiable information to safeguard the rights and welfare of human research subjects.
Under the Privacy Rule, RRMC may use or disclose PHI for research purposes and researchers may obtain, create, use and/or disclose individually identifiable health information if they obtain the appropriate authorizations and approvals for research, which include:

  • Review Board approval for research, and patient authorization for release of information.

All investigators are expected to adhere to the Privacy Rule standard for collecting only the minimum necessary data and identifiers required to achieve the research aims. Authorization and Waiver of Authorization

Access to medical records/clinical data systems for recruitment purposes and chart review must meet the Privacy Rule requirements for appropriate research authorization. At RRMC, the Privacy Officer controls the release of medical records for chart review or access to medical information and will require patient authorization for release of medical information for research purposes.​


Non-identifiable Information Options

Alternatively, researchers can choose to collect coded or de-identified data without obtaining an individual’s authorization and without further restrictions on use or disclosure because de-identified data is not PHI and, therefore, not subject to the Privacy Rule.

Protections of Information

HIPAA mandates that systems and processes must be in place to protect the confidentiality and privacy of patient information. As such, all research investigators are responsible for all aspects of their research study, including adhering to policy and procedures for the protection of privacy and confidentiality of identifiable information. Investigators must take appropriate steps which include using and storing research data in a manner that ensures physical and electronic (​e.g.​, encryption) security. Data Use Agreement or Business Associate Agreement may be required to allow for the sharing of data outside of RRMC.



Computer Systems & Electronic Transmissions of Information

Purpose of Security Rule

  •  To ensure ​confidentiality​, ​integrity ​, and ​availability of all electronically protected health information (ePHI) that is created, received, maintained or transmitted by the covered entity.
  • To protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI.
  • To protect against any reasonably anticipated uses or disclosures of ePHI.
  • To ensure compliance by its workforce.

Definition of Security

Security is generally defined as having controls, counter-measures, and procedures in place to ensure the appropriate protection of information assets and control access to valued resources. Security is minimizing the vulnerability of assets and resources.

Requirements for Security

Under HIPAA, RRMC is required to secure all access to electronically stored and transmitted protected health information (ePHI).


  • The Privacy Officer is responsible for establishing security policies, procedures, and systems that protect clinic computers from threats or vulnerabilities.
  • Workforce members are directly responsible for employing appropriate and applicable security controls to protect RRMC electronic information resources that are in his or her control:
  • By properly safeguarding PHI from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss;
  • By safeguarding the clinic’s computers from computer viruses and intrusive computer software;
  • By taking precautions that will minimize the potential of theft, destruction, or any type of loss of such assets;
  • By ensuring that access to workstations, ePHI, and portable media, such as floppy disks, tapes, CD-ROM disks, memory sticks/ thumb drives and all other forms of removable media and storage devices, cannot be inappropriately viewed or used by unauthorized persons.


What Steps Must I Take to Safeguard Computer Resources and PHI?

There are several steps that you must take to help protect the privacy and electronic security of PHI, a few of which are listed below:

Password Security

  1. Protect your user ID and password. Do not share or post passwords under any circumstances!
  2. Commit your password to memory.
  3. When choosing passwords, at a minimum, incorporate a combination of letters and numbers into the password.
  4. Immediately change your password if it is accidentally exposed or compromised.
  5. Report all password exposures to your supervisor.
  6. Adhere to established password management guidelines by changing your password periodically and by following instructions when you think your password has been compromised.
  7. Always keep computers password-protected and under lock and key when not in use.


Workstation Security

  1. Log-off or lock access to computers when you leave, even if only for a moment.
  2. Keep the system up-to-date with current operating system security patches and antivirus definitions.
  3. Keep confidential or sensitive information locked away when not in use. File documents in locked cabinets or drawers when you have finished with them.
  4. Ensure that systems meet RRMC minimum security standards.
  5. Ensure that displays of computer stations with access to ePHI are not visible to unauthorized individuals.
  6. Be alert to recognize and report all privacy and security incidents to one of the Medical Directors.


Disposal/Destruction Methods

  1. Never leave sensitive or confidential information in a trash bin. Securely dispose of all papers that contain PHI. ALWAYS follow the proper paper disposal procedure (​e.g.​, use secure bags, shredders, locked ‘Shred-it’ bins, etc.). Locked, shredder disposal bins are located throughout RRMC.
  2. Back up data files and securely store backup media; and follow approved RRMC media destruction before permitting devices and media to be transferred, sold or donated. Maintain records to track the movement (transfer or relocation) of devices and media.


Facility/Physical Access and Identification

Always follow established visitor security procedures.

PHI on Specific Electronic Devices or Systems


  1. Email systems are not secure unless you have explicit information that the system is encrypted or in other ways secure.
  2. Be careful what you send via email. Do not send confidential, patient or medical information unless you can de-identify it. Warn patients who communicate with you via email that their confidentiality cannot be ensured.
  3. Use the same care in sending emails that you would with a letter. Do not write anything in an email that you might regret later. Assume emails are never erased.
  4. Do not send attachments containing ePHI without encryption.
  5. Add a confidentiality message footer to your messages, such as:
  6. **CONFIDENTIALITY NOTICE** This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. Distribution, reproduction, or any other use of this transmission by any party other than the intended recipient is prohibited.
  7. If you identify PHI was sent in error, contact the sender. Do not extend the breach of information by forwarding the identified ePHI to others.
  8. If you are advised that you sent an email of PHI to the wrong recipient, confirm that the recipient destroyed all copies and did not forward the information. Immediately contact the Privacy Office for the next steps.


  1. Never fax PHI to an unsecured fax machine. (A secure fax is one located in a restricted environment.) Call ahead to ensure that the intended recipient will pick up the fax.
  2. Always check the destination fax number before faxing.
  3. Use cover sheets containing a confidentiality statement, such as:
  4. **CONFIDENTIALITY NOTICE** This communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. Distribution, reproduction or any other use of this transmission by any party other than the intended recipient is prohibited.
  5. Return items that you have received in error (faxed to the wrong location or improperly faxed) and advise sender of the error.
  6. If you are advised that you sent a fax of PHI to the wrong number, confirm that the recipient destroyed all copies and did not share the information. Immediately contact the Privacy Officer for the next steps.


  1. Consider who has access to your voice mail or answering machine so others do not access that PHI.
  2. Messages that you leave on answering machines and voice mail will represent RRMC in a professional manner.
  3. If you use a speakerphone, be aware of your surroundings and sensitive to the messages being replayed.
  4.  If you are advised that you left PHI on the wrong voice mail, confirm that the recipient deleted the message and did not forward the information. Contact the Privacy Officer for the next steps.


  1. A mobile computing device has a broad definition and includes all devices/media capable of storing data in electronic format such as laptops, PDAs, cell phones, blue tooth devices, memory sticks/thumb drives, external hard drives, and digital cameras.
  2. If at all possible, do not store ePHI on mobile devices.
  3. If ePHI is stored on a mobile device, the data must be encrypted with an approved RRMC data encryption solution.
  4. Never leave devices in an exposed or unsecured area.
  5. Always password-protect mobile devices.
  6. Utilize physical locks for laptops and other mobile devices.
  7. Keep mobile devices up-to-date with current operating system security patches.
  8. Ensure that the mobile device meets RRMC security minimum standards.
  9. Frequently make protected backups of data stored on remote systems.
  10. Use caution when uploading or downloading files to/from mobile devices, such as PDAs and laptops. Adhere to the “minimum necessary” standard and never transfer ePHI over a network to/from a mobile device without using encryption.
  11. Off-site work requires greater vigilance to maintain the required level of privacy and security.
  12. Be alert to recognize and report all privacy and security incidents to one of the Medical Directors.
  13. Immediately report lost or stolen devices to the RRMC Privacy Officer, who may contact the Police Department to file a report.


Other Use and Disclosure of Protected Health Information (PHI)


The RRMC Privacy Officer is responsible for the overall management of media relations for RRMC. Any inquiries from reporters, photographers, or other media representatives should be referred to the Privacy Officer. Reporters, photographers, camera crews, and other media representatives cannot be in clinical areas without supervision from one of the Medical Directors.



Non-treatment photography requires the patient’s consent, and the department needs to maintain the recorded consent for six years beyond date of last use. Even though you have consent or its use is allowed under HIPAA, it is always best practice to de-identity the photograph completely.


Other Federal Laws

In addition to HIPAA, there are other federal laws that govern the release of information, mandate that information be protected, and in some cases require that individuals be granted certain rights relative to control of and access of their information.


  • The Medicare Conditions of Participation (CoP) require that hospitals promote each patient’s rights, including privacy (42 CFR Section 482.13).
  • The Federal Trade Commission charged with protecting consumers requires banking and other industries to implement “red flag” standards (12 CFR Part 681) to detect and prevent identity theft related to customer and service accounts. These red-flag rules extend to health care institutions. 
  • The Family Education Rights and Privacy Act (FERPA) governs the protection of education records which include student health records (20 USC 1232g). HIPAA specifically exempts individually identifiable health information in education records. As FERPA records are exempt from HIPAA, all releases from education records must be in accordance with FERPA regulations.

Federal Department of Health and Human Services as well as multiple federal agencies require the protection of the privacy and confidentiality of participants in research clinical trials.

California State Laws

California has multiple statutes and regulations which require the protection of the privacy of its residents’ confidential information such as credit cards, social security numbers, personal identification numbers (PINs), as well as the protection of their medical and insurance information. Major state privacy laws include:

Confidentiality of Medical Information Act (CMIA) (Civil Code Section 56 ​et seq.​ ) requires:


  • that confidentiality of medical information is protected and establishes the protections against disclosures of individually identifiable medical information.
  • that institutions notify California residents of breaches of electronic social security numbers, access codes to financial accounts, medical and insurance information.
  • that healthcare institutions implement safeguards to protect the privacy and confidentiality of medical information and defines personal liability for breaches of privacy in which both individuals and institutions are liable for any unauthorized access, use, disclosure, or viewing of medical information. These laws impose various civil penalties against an individual such as personal fines, civil liability, licensure sanctions, and/or criminal sanctions.

See also: Civil Code Sections 1785.11.2, 1798.29, 1798.82, Health & Safety Code Section 130200

Health & Safety Code Section 1280.15 mandates that licensed clinics and health facilities report any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information no later than 5 calendar days after the breach has been detected. The institution is to report to both the Department of Public Health and the affected patient(s).

Lanterman-Petris-Short Act (LPS) (Welfare and Institutions Code Section 5328 ​et seq.​ ) provides special confidentiality protections for medical records containing mental health or developmental disabilities information.

Title 22, California Code of Regulations, Section 70707(b)(8), requires acute care hospitals to protect patient rights to the confidential treatment of all information related to their care and stay at the hospital.

Potential Consequences of Violating the State Privacy Laws

The California privacy laws impose administrative penalties and fines for non-compliance and for breaches of privacy which range from $100 to $250,000 per violation for both individuals and the RRMC.


Frequently Asked Questions (FAQs) 

This section is part of our employee training and provides you with an idea of what employee responsibilities are in relation to their work with you.

What is the Privacy Office and what do they do?

The Privacy Office is responsible for monitoring compliance with federal and state privacy laws and regulations. The Privacy Office is responsible for orchestrating departmental responses in the event of a breach of patient privacy. Additionally, the Privacy Office provides consultation on requests for all privacy-related questions. The Privacy Office tracks and analyzes all privacy activities, and develops training and risk mitigation programs for the entire RRMC enterprise.

There has been a breach of patient privacy in my department. What do I do?

If the personally identifiable information was on a stolen device (computer, PDA, for example), immediately contact the Privacy Officer to report the theft, indicate whether personal health information is involved.

In every circumstance, you will need to provide the following information:

  • Date and time breach was discovered
  • Name of and contact information for person who discovered breach
  • The specific patient information disclosed
  • The number of patients who had their information disclosed
  • How it happened
  • Actions are taken following the detection
  • The department contact for follow-up

The Privacy Officer is responsible for the follow-up including, but not limited to, the investigation, following up with patients, determining and implementing corrective steps and changes in process, following up with third-party vendors, and mailing patient notification letters, as needed. Please Note: Only the Privacy Officer can determine if notification is required.

The above information needs to be reported ASAP. Any delay in reporting the above information to the Privacy Officer delays RRMC reporting to the state and to patients. Delayed reporting to the state and patients beyond the five-day time frame exposes you and RRMC to financial liability in the way of administrative fines and penalties.

How do I know what HIPAA and privacy training people in my department should receive?

Ask the Privacy Officer. All members of a department need to have some type of privacy training, including volunteers.

We want to provide a flyer to a specific patient population, produced by an outside organization (i.e., the American Cancer Society). Can we do this?

We can post the flyer in the waiting room for interested patients to see.

How much personal information can be released to family members over the phone?

According to the ​Notice of Privacy Practice​, you may release personal information to anyone that the patient has identified in writing as the recipient of such information. Refer all others to the contact person the patient designates.

What is my responsibility related to the vendors that I bring into the clinic?

All vendors should check-in at the front, and the front desk staff should record their presence. They should be asked to remain in the waiting area until their clinic contact allows them to enter. Do not leave vendors alone in areas with PHI that they do not need to have access to.

My patient does not answer the phone directly. How can I leave a HIPAA compliant message with someone else or a voice mail?

Leave the minimum amount of information needed: your name, phone number, and that you are from RRMC. A recommended best practice would be to obtain the patient’s preference for follow up or appointment communication at the initial point of contact.

Can I email my patient related to his or her care?

You can do so but only by following our secure email guidelines. Best practice includes making sure the patient prefers this form of communication and understands the risks associated with it.

How much information can I give an insurance company?

According to the Notice of Privacy Practice, we may use and disclose medical information for the purpose of obtaining payment. Best practice is to only provide what is needed for this purpose. For example, providing lab values is not usually information that should be provided for billing purposes.

How much information can I give a Skilled Nursing Facility (SNF) or Home Health Agency (HHA)?

If the patient is being referred to either of these types of facilities, then you have a patient care need to disclose PHI. You should provide all PHI that you feel they need to know to provide continuity of safe patient care.

What information can be faxed?

Always send the minimum information necessary. The best practice is to confirm the correct fax number prior to sending, include a cover letter with a confidentiality statement and call to follow upon receipt.

Can I mail my patient's information?

If you have patient care need to do so, yes. The best practice is to confirm the correct address with the patient prior to sending and make sure it does not have any other identifying information on the outside, other than RRMC.

Someone wants to come into a clinical area and observe. How can I make this happen?

Seek the approval of one of the Medical Directors. Requests should be made in writing and should provide a full explanation for the request.

Our patients sign in on a clipboard. Is that ok?

It is ok, if you are using a pull-off label system, so that patient names do not accumulate throughout the day for subsequent patients to view. Alternatively, you can use a thick black marker to cross off the name, so the next person cannot see the previous patients' names.

For whiteboards or marker boards, what information can be listed?

The use of last names and first initials on the board within the department (i.e., not visible to the public) is appropriate. The important considerations are: whether the board is visible to passers-by and whether it contains PHI. If yes to both, consider whether there are other ways that the protected data (including demographic data) could be "reasonably" limited to the minimum necessary to allow the unit to safely manage patient care.


For additional FAQs, related to HIPAA please refer to the U.S. Department of Health & Human Services,