Privacy Tips

The minimum necessary standard requires us to take reasonable steps to limit the use or disclosure of, and requests for, protected health information (PHI) to the minimum necessary to accomplish the intended purpose. Simply stated, in compliance with HIPAA, we should use the minimum necessary amount of PHI to accomplish the purpose of such access.

There are exceptions when the minimum necessary requirement does not apply. It does not apply to (1) treating providers in the course of providing health care services and (2) when disclosing their own PHI to a patient or at the request of a patient.

In addition to complying with the minimum necessary requirement, PHI must not be accessed unless such access is related to treatment, payment or healthcare operations in accordance with one’s job role. This applies to the intentional or unintentional sharing of PHI with our colleagues.

Three key takeaways are:

• Do not access PHI unless you are authorized to do so;
• Use the minimum necessary amount of PHI to accomplish your authorized role or task unless you are providing treatment to a patient; and
• Do not to forward PHI in emails or share in conversations with others unless they are also authorized to have access to such PHI under HIPAA.

Here are four key reminders to comply with USF policy related to the use of email:

• All employees must use an official USF Information Technology managed and supported email account (@usf.edu) when conducting USF business via email. Please refer to USF Policy 0-521.
• Emails containing protected health information (PHI) (patient name, MRN, etc.) must be encrypted when sent (or forwarded) to a non-USF email address. When emailing PHI to either Tampa General Hospital or Moffitt encryption is unnecessary as there is channel encryption between our institutions. For more information regarding encryption, contact USF IT Cybersecurity and Safe Computing.
• Do not forward to or copy individuals on emails containing PHI unless they are also
  authorized to access such PHI as part of their job duties.
  With some exceptions, emails are subject to public records requests.

Violations of these email policies are subject to progressive disciplinary actions

Recipient Type: (email examples)	Required Safeguard/Best Practice
Outside facility (other than TGH or Moffitt) nancyg@labcorp.com to barnet@dranderson.com	Encryption:  Must use encryption by typing “Encrypt:” in the subject line of the email.  This must be followed each time you email PHI.
TGH or Moffitt pattym@usf.edu to beaumont@tgh.org or thomasw@usf.edu to williamr@moffitt.org	No Encryption Needed: Email communications between USF and Tampa General Hospital or between USF and Moffitt do not need to be encrypted because those emails are transmitted within an encrypted tunnel.
Patient  williamp@gmail.com to surferdude@netzero.com	MyChart: the best practice is to request all communications with patients go through the patient portal, MyChart; or Encryption:  use encryption as stated above; or lastly  Consent Required: If the patient insists upon communication via email without encryption, the following statement with their email consent must be used:  “USF Health cannot and does not guarantee the privacy or security of any messages being sent over the internet.  There is a potential that emails sent over the internet can be intercepted and read by others.  If this concerns you, you should not communicate with me through email.  By responding to this email, you consent to email communications.”
Employee to Employee markclarker@usf.edu to danielzoom@usf.edu	No encryption required: since this email address is behind the USF firewall.

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has provided the attached bulletin to ensure everyone is aware of the ways that patient information may be shared under the HIPAA Privacy Rule in an emergency situation or an outbreak of infectious disease such as Coronavirus (2019-nCoV).  Posting patient protected health information through a social media site or sharing such information without a treatment, payment or healthcare operation is still prohibited under HIPAA.  Additionally, any announcements regarding our patient population should be made by leadership or their designee only.  

For additional information, please see this bulletin prepared by the OCR.   

Posting well-meaning and limited information on social media can result in a HIPAA breach or a violation of our social media policy.  Discussing a difficult day in the clinic or an unusual case on social media may result in a privacy breach if it discloses protected health information.  Even minor details about a patient can result in the patient being identified.  Additionally, unprofessional posts can diminish or destroy a hard-earned professional reputation.  We should hold ourselves to the highest professional standards while fostering an inclusive environment of safety and trust among our patients, each other and the community.  

Breach Example:  After leaving work, a North Carolina hospital employee commented on social media in reference to a deceased car crash victim “Should have worn her seatbelt . . . “.  The employee later posted “Yepp. I was working today when they came in the ER.”   The employee was fired in response to this HIPAA violation and notification of the breach was required.    

See examples on page 3 of the USF Health standard practice and procedure on HIPAA and Social Media Use.  

HIPAA requires certain safeguards when texting or emailing protected health information (PHI). Today’s Privacy Tip addresses safe texting of PHI related to medical decision making and treatment among providers and clinical support.      

The HIPAA compliant solution is Epic Secure Chat!  Not only does Epic Secure Chat comply with HIPAA requirements to keep our patient PHI safe, it also ensures information used to make treatment decisions is saved in the medical record as is required.  Utilizing Epic Secure Chat eliminates the extra step of uploading treatment information from another source into Epic and it eliminates the risk of exposing PHI and causing a potential breach.  Haiku should be used to take consented patient photographs.  

Additionally, utilizing Microsoft Teams is also another safe option to share PHI.   Please note, other HIPAA complaint texting platforms may be required or utilized by our providers when practicing at other institutions.    Using non-HIPAA compliant communication platforms and apps is not permitted for transmitting or sharing any form of PHI (for example using WhatsApp or iMessage for sharing treatment information or patient photographs is not permitted).  The only exception permitted under HIPAA, is when a patient consents to the use of a non-secure communication method to share PHI with them at their request.    

HIPAA Compliant Platform: Microsoft Teams is a HIPAA complaint communications platform in coordination between Microsoft and internal security controls put in place by our USF Health security team.  We also have a Business Associate Agreement (BAA) with Microsoft for Teams use.  

Doximity Use: While some within USF Health have used Doximity as an alternative telehealth platform, please note that there may come a time when we can no longer use Doximity.  Doximity will not enter into a BAA with an organization unless they agree to enter into a monetary contract after the end of the calendar year.  Under a COVID-19 waiver, USF Health is currently not required to have a BAA in place with a telehealth platform; however, if the waiver is revoked, we will not be able to continue utilizing Doximity.  If such should occur, timely notice will be provided to everyone to cease the use of Doximity. 

Permissions within Teams: When conducting a telehealth visit, under “permissions,” please make sure the box to “allow everyone in your company to view this video” is not selected.  This option was selected in a prior telehealth visit, however, through an internal audit we determined only those who were authorized to attend the telehealth visit were part of the call.  

Introduce Yourself:  As Renee mentioned on the conference call on Thursday, please make sure you introduce yourself and your role on a telehealth call or video.  This simple introduction will help our patients feel more at ease during their visit knowing we are all protecting the confidentiality of their visit. 

Be Cognizant of Your Surroundings:  While working remotely or in clinic, please be mindful of your surroundings while conducting a Teams telephone or video visit with a patient.  Please confirm no other protected health information (PHI) from other patients is viewable to the patient and background noises are kept at a minimum. 

Pictures/Messages in Teams:  Please inform patients at the beginning of a telehealth visit that any pictures or messages they want to send to the provider should be sent through MyChart.  If, however, pictures or messages are sent via Teams, please make sure those photographs or messages are saved within Epic if they are part of patient treatment.  

Written Communications:  Written communications with patients should not be through Teams but through MyChart.   Additionally, if any PHI is sent via email it must be encrypted.  To encrypt, please type “encrypt:” in the subject line of the email.   There are no COVID-19 waivers that allow us to be more relaxed when emailing PHI.  

Telehealth Appointments:  When sending telehealth appointment invites, please only use the patient’s first and last initial along with the proper MRN.   I have heard patient concerns when their first and last initial along with date of birth are used for an appointment.  Please do not include date of birth in the email.  

Teams Data: All Microsoft Teams data is encrypted at rest and in transit. Teams also has audit logs in case we have to conduct an investigation.   

Confirm Patient Identity: One of the easiest ways to keep PHI safe is to make sure you are speaking with the correct patient.  Please make sure identity is being confirmed by each USF team member that interacts with the patient during a telehealth visit.  

Workplace Team Chat: Please make sure your internal chats with other workforce members within Teams is professional.  Even though Team Chats have a relaxed feel, those messages are retained. 

Working Remote:  Many of us are using our own devices while working remotely, remember downloading PHI to your personal device is not permitted unless you have obtained express written permission with safety measures in place.   All PHI should be stored safely.  

Remote Printing: If printing while remote is absolutely necessary, please print the least amount of PHI possible.  All PHI must be secured until it can be shredded by placing it into a locked shred bin.  Please do not leave PHI in your vehicle.  

Targeted Attacks and Fraud:  Due to the sensitive nature of healthcare data and COVID-19 research, it has been reported there are increased targeted attacks, including ransomware attacks, on healthcare organizations to obtain PHI and COVID-19 research data.  The FBI and the Department of Homeland Security has warned the healthcare sector that cybercriminals are targeting healthcare with email phishing attacks exploiting fear about COVID-19.   We need to remain vigilant that we are not exposing our systems to cyber criminals.  Be wary of emails with unsolicited attachments even if you know the user.  Slow down and confirm authenticity prior to opening any attachment.  Google recently detected 18 million malware and phishing Gmail messages per day related to COVID-19 and more than 240 million COVID-related spam messages.  If in doubt, reach out to IT to confirm the validity of a suspicious email.  We recently received a request for proxy access for two patients’ files and we determined the request was fraudulent.  We believe this individual was attempting to steal PHI.  If you suspect fraud or a security risk, please let your supervisor and IT know so it can be investigated. 

The Privacy & Healthcare Civil Rights Compliance Program will begin conducting informal unannounced clinical walk-throughs on at least a quarterly basis.  During these walk-throughs, we will allocate enough time to meet team members, answer any privacy questions, or discuss any concerns they may have.  These walk-throughs will assist us in identifying any privacy risks within each clinic.  We can then partner with the clinic to find a workable solution to reduce the risk.   

Additionally, we would welcome an invitation to schedule time to meet with your clinic’s team members in person to learn how we can best support your clinic’s privacy needs. We can participate in a morning huddle to provide guidance on a privacy issue you may be currently struggling with, engage in a question-and-answer session, or present a privacy hot topic at a lunch and learn meeting.  

If you would like to schedule a lunch and learn presentation, question-and-answer session, or have us provide a brief privacy hot topic update at a morning huddle, please email us at either privacy helpline: privacy@usf.edu or privacy@usftgp.org.  

Privacy & Healthcare Civil Rights Compliance is launching our new Morsani College of Medicine (MCOM) Student Observer Program today, March 13, 2024.  This is an exciting new opportunity for our MCOM students to shadow in our clinics through our new expedited process.  

To be approved, the MCOM Student: 

• Must be currently enrolled at MCOM; 
• email the completed and signed two-page MCOM Student Observer form to privacy@usf.edu; and
• have on file with Medical Health Administration (MHA) (mha@usf.edu) a TB test obtained within the last 365 days.*  

Click here to obtain the MCOM Student Observer Policy and Form.  The form is two pages and must be signed by the MCOM Student and Sponsor.  Once completed, please email both pages of the form to privacy@usf.edu.  

Approval to observe, on average, should take no longer than twenty-four (24) hours!  If you have any questions or need a copy of the policy or form, please reach out to our privacy helpline email at privacy@usf.edu or call us at 813-974-2222.  Looking forward to working with the MCOM Students. 

* If the MCOM Student does not have a TB Test result on file within the requisite time-period, MHA will provide further guidance (or email mha@usf.edu).

USF Privacy & Healthcare Civil Rights Compliance (Privacy Compliance) manages the Observer Program for USF Health clinics.  The basic requirements are as follows:

• The individual wishing to observe must be at least 18 years of age;
• The individual wishing to observe or the USF Health clinical staff member involved, should email Trudy Williams in Privacy Compliance (trudywilliams@usf.edu) to get the most recent copy of the observer packet with forms;
• The observer must complete and submit the forms to trudywilliams@usf.edu for processing;
• The packet must by reviewed and approved by both Privacy and Medical Health Administration (MHA) who reviews the immunization records;
• The review process takes on average five (5) business days once the completed forms are submitted;
• The observer is limited to forty (40) hours of clinical observation time; and
• The approval by Privacy and MHA is for the USF Health clinic specified in the request as we cannot approve observations at TGMG clinics or Tampa General Hospital. 

If you have questions related to the Observer Program you may contact, Trudy Williams, Privacy Investigator, at trudywilliams@usf.edu or you may call our Helpline telephone number at 813-974-2222 or send inquiries to our Privacy Helpline email at Privacy@usf.edu.

INTERNATIONAL OBSERVER PROGRAM

The USF Medicine International Observership Program is for international medical students and graduates.  The Program Coordinator is Jayme Smith her email is jaymesmith@usf.edu.  Privacy Compliance does not manage this program. 

AFFILIATION AGREEMENTS

If you have questions related to affiliation agreements or requirements, please contact Yvette Holmes at yholmes@usftgp.org.  Privacy Compliance is not involved with the drafting, review, or approval of affiliation agreements or students seeking education credits within USF Health and TGMG clinical areas.  

Accessing Your Own Medical Record via Epic:   USFTGP, TGMG, USF Health, and TGH all have policies that prohibit accessing your own medical record via Epic unless you are a credentialed provider whose licensure permits self-treatment.  In other words, if you are not a credentialed provider who is permitted to self-treat, you must access your own medical record via either MyChart or by requesting copies of your medical record from the medical records office.     

Minimum Necessary Standard:  One of the concepts surrounding access to patient protected health information (PHI) under HIPAA is the “minimum necessary standard.”  Generally, it requires us to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose.  However, the minimum necessary standard does not apply to access, use and disclosures by health care providers for treatment purposes; patients requesting access to or copies of their medical record; and some other limited exceptions under HIPAA.  Team members, who are not treating providers, should consider the minimum necessary standard when accessing a patient’s PHI as they perform their particular job function.  Team members should only access a patient’s medical record if their job role requires such access and they should only access those sections of the medical record that are required to perform their job duty.  One way to comply is to ask oneself, “Do I need to access this PHI to perform my job?”  Or utilize the phrase, “When in doubt, just stay out.”  

Monitoring and Auditing PHI Access:  USFTGP, TGMG, USF Health, and TGH all utilize a monitoring system called Imprivata (f/k/a FairWarning) to monitor whether access to a patient’s medical record is in compliance with HIPAA.  Additionally, our office can also run Epic audits when needed to determine whether access was appropriate.  Some examples of the types of access we monitor: 

• Accessing one’s own medical record (does not apply to credentialed providers);
• Accessing a co-worker’s medical record outside of performing the team member’s job function;
• Accessing medical records of patients not seen within the team member’s department;
• Accessing a family member’s record when not required to under the team member’s job function;
• Accessing medical records after hours (for those whose job functions that do not require after-hours work), or
• Accessing a large number of records outside the usual amount. 

If you have questions regarding whether access is appropriate, please reach out to our privacy helpline at privacy@usf.edu, privacy@usftgp.org, or 813-974-2222.  We are here to help!