• E-mail
• Print
• RSS

How can PHI be used in peer review and credentialing activities? Currently, our meeting minutes use medical record numbers and not patient names, but it’s still PHI.

Compliance Monitor, January 9, 2004

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

These are normally legitimate uses of PHI. But as the question acknowledges, they could lead to a breach. Be sure to reinforce the "minimum necessary" principle when PHI is used for these purposes. Only use (and disclose) PHI when necessary, only use the least amount of PHI to accomplish the task, and only provide PHI to those people who need it.

For example, it's a good practice to include only medical record numbers in minutes, but be sure that the minutes are properly protected-whether electronic or on paper. Where are they filed? Who has access to them? Do some individuals need access, but do not need to know the medical record numbers? If so, do you have a process for deleting or covering up the numbers, or a process for summarizing minutes so that they no longer contain any PHI?

In addition to implementing the minimum necessary principle, periodically remind physicians and staff of their privacy and security responsibilities in terms of peer review and similar "behind the scenes" activities. Raise awareness of the risks and train in appropriate behavior. Talk about it and provide written procedures and guidelines so that people don't have to guess about your expectations.

This question was answered by Kate Borten, CISSP, founder of The Marblehead Group, Inc., a national security and privacy consulting firm focused on the health care industry.

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

• E-mail to a Colleague
• Print
• RSS
• Archive