This month’s lesson will be very quick but it is a good reminder. One of the foundations of any computer security program is minimum necessary access. This means that each user should only have access to the least information they need to carry out their job. There are several reasons for this. The first is that if your account were ever compromised by an attacker, they would be limited in what they could access since they could only see what you can see. The second is to protect the information itself and this is where HIPAA rules come into play.

Let me give you an example. Imagine your practice treats a celebrity. Everyone knows the celebrity was in the practice but you wanted to know WHY they were there. If you aren’t involved in their treatment, then you don’t have a good reason for viewing their record. Curiosity isn’t a legitimate part of the patient’s treatment. This is why maintaining the minimum necessary access to a patient’s chart for their treatment is so important. But equally important is that even if you are involved in the patient’s treatment, you may not to disclose their information to anyone not directly involved, or where prescrvibed by law.

Here are the times when you may disclose a patient’s PHI:

• Disclosures to or requests by a health care provider for treatment purposes.
• Disclosures to the individual who is the subject of the information.
• Uses or disclosures made pursuant to an individual’s authorization.
• Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.
• Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.
• Uses or disclosures that are required by other law.

Please keep these in mind when handling patient information.