Standards for Privacy of Individually
Identifiable Health Information
Guidance issued July 6, 2001
Oral Communications
[45 CFR §§ 160.103,
164.501]
Background
The Privacy Rule applies to individually identifiable
health information in all forms, electronic, written,
oral, and any other. Coverage of oral (spoken) information
ensures that information retains protections when discussed
or read aloud from a computer screen or a written document.
If oral communications were not covered, any health
information could be disclosed to any person, so long
as the disclosure was spoken.
Providers and health plans understand the sensitivity
of oral information. For example, many hospitals already
have confidentiality policies and concrete procedures
for addressing privacy, such as posting signs in elevators
that remind employees to protect patient confidentiality.
We also understand that oral communications must occur
freely and quickly in treatment settings, and thus understand
the heightened concern that covered entities have about
how the rule applies. Therefore, we are taking a two-step
approach to clarifying the regulation with respect to
these communications. First, we provide some clarification
of these issues here, so that covered entities may begin
implementing the rule by the compliance date. Second,
we will propose appropriate changes to the regulation
text to clarify the regulatory basis for the policies
discussed below in order to minimize confusion and to
increase the confidence of covered entities that they
are free to engage in communications as required for
quick, effective, and high quality health care. We understand
that issues of this importance need to be addressed
directly and clearly in the Privacy Rule and that any
ambiguities need to be eliminated.
General Requirements
- Covered entities must reasonably safeguard protected
health information (PHI) - including oral information
- from any intentional or unintentional use or disclosure
that is in violation of the rule (see § 164.530(c)(2)).
They must have in place appropriate administrative,
technical, and physical safeguards to protect the
privacy of PHI. "Reasonably safeguard" means that
covered entities must make reasonable efforts to prevent
uses and disclosures not permitted by the rule. However,
we do not expect reasonable safeguards to guarantee
the privacy of PHI from any and all potential risks.
In determining whether a covered entity has provided
reasonable safeguards, the Department will take into
account all the circumstances, including the potential
effects on patient care and the financial and administrative
burden of any safeguards.
- Covered entities must have policies and procedures
that reasonably limit access to and use of PHI to
the minimum necessary given the job responsibilities
of the workforce and the nature of their business
(see §§ 164.502(b), 164.514(d)). The minimum
necessary standard does not apply to disclosures,
including oral disclosures, among providers for treatment
purposes. For a more complete discussion of the minimum
necessary requirements, see the fact sheet and frequently
asked questions titled "Minimum Necessary."
- Many health care providers already make it a practice
to ensure reasonable safeguards for oral information
- for instance, by speaking quietly when discussing
a patient's condition with family members in a waiting
room or other public area, and by avoiding using patients'
names in public hallways and elevators. Protection
of patient confidentiality is an important practice
for many health care and health information management
professionals; covered entities can build upon those
codes of conduct to develop the reasonable safeguards
required by the Privacy Rule.
|
