Compliance News You Can Use: Mail & PHI

How much of your incoming or outgoing mail contains patient Protected Health Information (PHI)? Remittance Advices, bills, correspondence with patients, consultation reports, invoices from laboratories or other suppliers, and many other documents contain PHI.  Under the HIPAA Privacy Rule, each of us is responsible for the privacy and safety of patient information in outgoing or incoming mail. Here are some tips on protecting mailed PHI:

  1. Always Check: Medical correspondence contains PHI. PHI elements can include patient demographic information, names, account numbers, addresses, diagnoses, billing information, and over 18 additional items of data. PHI is present in mail.
  2. Right Patient, Right Address, Right PHI? Be Sure: Before mailing any PHI, check every page to make sure the correct patient’s PHI is included. It is very easy to accidentally insert another patient’s material in mailed PHI.
  3. Multi-Tasking Mail Leads to Errors. Frequently, one patient’s information gets inserted into another patient’s records when we are multi-tasking, and trying to get several items of correspondence sorted simultaneously. Best practice: Complete one patient’s mail at a time. Always check for right patient, right address, right PHI.
  4. Never Forward Mail Without Verifying Contents.  Every envelope and package received should be opened, sorted, and date stamped. Never forward a document without review and date stamp.
  5. PHI Mail Responsibility: Assigned staff members should be in charge of receiving, reviewing, managing, or forwarding PHI. This should be part of their job description. Staff managing mail should be trained to access only the minimum necessary PHI to do their job.
  6. Respect PHI. Don’t browse patient PHI. Our obligation under the HIPAA Privacy Rule is to access only the minimum PHI needed for appropriate healthcare and business use.