• E-mail
• Print
• RSS

How can PHI be used in peer review and credentialing activities?

HIPAA Weekly Advisor, July 11, 2003

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: How can PHI be used in peer review and credentialing activities? Currently, our meeting minutes use medical record numbers and not patient names, but it's still PHI.

A: These are normally legitimate uses of PHI. But, as the question acknowledges, they could lead to a breach. So be sure to reinforce the "minimum necessary" principle when PHI is used for these purposes. Only use (and disclose) PHI when necessary, only use the least amount of PHI to accomplish the task, and only provide PHI to those people who need it.

For example, it's a good practice to include only medical record numbers in minutes, but be sure that the minutes are properly protected-whether electronic or on paper. Where are they filed? Who has access to them? Do some individuals need access, but do not need to know the medical record numbers? If so, do you have a process for deleting or covering up the numbers, or a process for summarizing minutes so that they no longer contain any PHI?

In addition to implementing the minimum necessary principle, periodically remind physicians and staff of their privacy and security responsibilities in terms of peer review and similar "behind the scenes" activities. Raise awareness of the risks and train in appropriate behavior. Talk about it and provide written procedures and guidelines so that people don't have to guess about your expectations.

Editor's note: Answered by Kate Borten, CISSP, president of The Marblehead Group, in Marblehead, MA, and excerpted from the upcoming August 2003 issue of Briefings on HIPAA. This is not legal advice. Be sure to consult with your facility's legal counsel for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive