HIPAA Privacy Frequently Asked Questions

What is Health Insurance Portability Accountability Act (HIPAA)? does the HIPAA Privacy Rule do?

A federal law, the intent of which is to protect the privacy and security of patient health information, that is created or maintained by healthcare providers.

What is Protected Health Information (“PHI”)?

Any type of individually identifiable health information, whether electronically maintained, electronically transmitted, or in any other format (i.e., discussed orally, on paper or other media, photographed, or otherwise duplicated).

Who may access confidential information?

Only those people who need access for business reasons and who have been authorized to receive it.

Who is our privacy officer? Who is our security officer?

Chief Privacy Officer: Luann Healy and Chief Information Security Officer: Ana Roldan.

How do I report a privacy concern?

If you have a HIPAA privacy question or concern, please call either the Office of HIPAA Privacy at 954-262-4241, or your designated HIPAA Liaison, or the NSU Ethics and Compliance Reporting Hotline at 888-609-NOVA (6682), if you wish to remain anonymous.

Who is responsible for maintaining a secure environment and patient privacy?

Everyone.

Am I permitted to look up my sick father's medical record?

No, you are not permitted to look at your father's record unless your father has informed the NSU Health Clinics that that is okay in writing. While parents usually want family involvement in their treatment, it shouldn't be assumed. Sometimes an individual does not want family members to know the details.

We know that diagnoses and test results are confidential. What other information about a patient is confidential? What about billing records?

Essentially any information that is patient-identifiable, even the patient's address, is confidential and must be protected. Only when the patient has agreed may it be used or disclosed for specific purposes. Also, removal of the patient's name does not mean the patient's identity is protected; other information such as a medical record number, a zip code, or a date of birth could still be used for identification.

What does “minimum necessary” mean?

The HIPAA Privacy Rule and NSU Health Care Component HIPAA Privacy Policies generally require that we access, use, and disclose only the minimum amount of protected health information (PHI) necessary to complete a work-related duty, and that we do so only when the PHI is needed for that specific task. For example:

If your job requires access to a patient’s demographic information, it would not be appropriate and would violate the “minimum necessary” standard to also access detailed clinical information in the patient’s record.

We know that health records whether paper or electronic are confidential. What about handwritten notes and phone calls?

All forms of information written, spoken, or electronic are confidential and must be protected.

What should you do if another organization asks for access to patient information in your computer system?

Forward the request to the Chief Privacy Officer (Luann Healy) or Chief Information Security Officer (Ana Roldan). This access must be closely scrutinized first.

How should you dispose of confidential papers?

Put them in the locked shredder bin in your area. Make sure you always leave your workspace free of paper protected health information (“PHI”) before you leave at the end of your day.

Please refer to Nova Southeastern University's Records Management and Destruction Policy located at https://www.nova.edu/records/policies-and-procedures.html.

What do I do if I receive a fax that was received in error?

Misdirected faxes received by NSU Health Clinics and/or other NSU departments from non-NSU health care facilities may expose non-NSU health care facility patient and other confidential information to individuals who are not authorized to see that information. In the event of this occurrence please proceed as follows:

Notify the sender and return the fax if requested;
Contact the NSU Office of HIPAA Privacy at (954) 262-4241; and
Shred the original fax if not requested to return to sender

May I use my Axium, NextGen, QS1 work access to view my own health record?

No, you must use your work access for work-related purposes only. However, you may use the NSU patient portal to access your own health records.

My coworker is on medical leave, and I want to send her a card. Can I look up her address in Axium, NextGen, or QS1?

No, you may not access or view anyone’s health record unless you have a job-related reason to do so. Accessing an employee’s health record to get their address, telephone number, birthday, or any other information is not appropriate unless doing so is required for your job.

My spouse asked me to look up their lab results. Am I allowed to do so in Axium, NextGen, or QS1?

No, in this case, viewing your spouse’s lab results is not job-related and therefore is prohibited. You may only use your work access to view the health records of a family member (or other individual) when necessary to do your job. This is true even if the family member or other person gives you permission. In this case, viewing your spouse’s lab results is not job-related and therefore is prohibited.

However, if you have been authorized to view the laboratory results of other people, (e.g., your spouse) you may do utilizing either the laboratory’s patient portal or the NSU Health Clinic patient portal, if available. Additionally, your spouse may view their information utilizing the laboratory’s patient portal or the NSU Health Clinic patient portal, if available, or requesting a copy their information via a written authorization from the laboratory or the NSU Health Clinic.

What is snooping?

Snooping means intentionally accessing patient records without a legitimate work-related reason. Snooping is prohibited by law and NSU Health Care Component/Health Clinic HIPAA policies and procedures, regardless of whether it is malicious, well-intended, or out of curiosity. Employees/workforce members who snoop or otherwise violate NSU Health Care Component/Health Clinic privacy or information security policies are subject to disciplinary action, up to and including termination.

What is FairWarning?

FairWarning is a privacy monitoring technology that analyzes Axium, NextGen and QS1 user activity to detect potentially inappropriate access to patient information and other privacy violations. Any potentially inappropriate activity that is detected is reviewed and investigated, as necessary. The NSU Health Care Components use FairWarning to monitor for possible privacy violations, such as coworker snooping.

Can I post about patients on social media?

No. The HIPAA Privacy Regulations prohibit the use of protected health information (“PHI”) on social media without patient Authorization. This includes posts about specific patients, in addition to images or videos that may result in a patient being identified. Some examples of potential HIPAA violations using social media include:

Sharing workplace frustrations online without the patient’s name, but with enough details that the patient can easily be identified.
Disclosing PHI in response to negative comments posted online.
Posting photographs or images taken from inside a healthcare facility where a patient or PHI are visible.

How can I protect patient privacy while working from home?

Safeguard protected health information (“PHI”) at home just as you would if working on campus.

Make sure PHI is not visible to others.
Make sure that family members and others are not able to read or access your computer.
Conduct phone calls in an area where PHI cannot be overheard.
Be mindful on video calls: Is PHI visible to people on the call? To people in your home?
As always, do not discuss PHI with others in your home.