Corporate Compliance

HIPAA Q&A: Potential PHI disclosures through posted forms

Compliance Monitor, April 4, 2012

Q. A nurse in a skilled nursing facility asked if she could post a paper form called “Turn and Position Sheet” on the fall in the residents’ rooms so employees can document each time they turn and position the resident. It would indicate to a visitor or other non-nursing facility staff that the resident suffers from pressure sores. Is this a violation of HIPAA, and would it be considered a breach of PHI?

A. It could represent an inappropriate disclosure of PHI given the care setting. Covered entities cannot eliminate incidental disclosures but are required to limit it as much as feasible. On the other hand, if the paper form is posted where it is not easily viewable to anyone but the workforce member, and if the heading on the form was “TP” or another code understandable to workforce members only, it would strictly limit the possibility of incidental disclosure of patient information and would likely not be considered an inappropriate release of PHI.

Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question, which first appeared in the April Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.