HIPAA Best Practices

As we consider what we should be doing to comply with HIPAA and protecting our patients' protected health information (PHI), here's a quick guide to help you remember some of the most compelling things that should be going on at UCR Health.

  1. Notice of Privacy Practices is displayed in clinics and posted on the health system website.
  2. Give patients a copy of the Notice of Privacy Practices and make good-faith efforts to obtain written acknowledgment of receipt.
  3. Avoid verbal discussions of protected health information (PHI) on the phone, public areas, or in reception/waiting areas that are within earshot of people who don't have a need to know.
  4. Don't leave sensitive information on telephone answering machines.
  5. Limit or use minimum necessary PHI in announcements made in clinic waiting rooms.
  6. If identified by the patient, you may share PHI with family, friends and personal representative as someone involved in their care.
  7. Limit patient information on whiteboards, X-ray boxes, computer screens and other areas that may be visible to the public and others who don't need access to PHI.
  8. Follow safeguards for PHI that is transmitted by fax or e-mail.
  9. File away promptly and secure folders that contain patient medical records.
  10. Make sure that computer/network security measures are in place (e.g., privacy screens are in place as required, passwords are not taped to the monitor).
  11. Do not share passwords.
  12. Make sure the physical plant is locked down at night, with windows closed and doors locked.
  13. Remind people that only the "minimum necessary" PHI should be disclosed except for treatment purposes.
  14. Make sure you track required disclosures of PHI.
  15. Make sure written authorizations to use and disclose PHI are received except for treatment, payment, operations, and exceptions permitted in the policy.
  16. Be aware of the rights patients have to review (and get copies of) their records and what procedures will be followed.
  17. Be sure everyone in your work force knows who the privacy officer is and who they should contact with patient privacy questions or problems. The privacy officer is Paul Hackman, who can be reached at or (951) 827-3257.