HIPAA Guide for Managers

Riverside, Ca –

As we consider what we should be doing to comply with HIPAA and protecting our patients' protected health information (PHI), here's a quick guide to help you remember some of the most compelling things that should be going on at UC Riverside Health.

  1. Notice of Privacy Practices is displayed in clinics and posted on the health system website.
  2. Give patients a copy of the Notice of Privacy Practices and make good-faith efforts to obtain written acknowledgment of receipt.
  3. Avoid verbal discussions of protected health information (PHI) on the phone, public areas, or in reception/waiting areas that are within earshot of people who don't have a need to know.
  4. Don't leave sensitive information on telephone answering machines.
  5. Limit or use minimum necessary PHI in announcements made in clinic waiting rooms.
  6. If identified by the patient, you may share PHI with family, friends and personal representative as someone involved in their care.
  7. Limit patient information on whiteboards, X-ray boxes, computer screens and other areas that may be visible to the public and others who don't need access to PHI.
  8. Follow safeguards for PHI that is transmitted by fax or e-mail.
  9. File away promptly and secure folders that contain patient medical records.
  10. Make sure that computer/network security measures are in place (e.g., that screensavers kick in quickly, passwords are not taped to the monitor, machines are turned off at night, and access from off site is carefully restricted).
  11. Do not share passwords.
  12. Make sure the physical plant is locked down at night, with windows closed and doors locked.
  13. Remind people that only the "minimum necessary" PHI should be disclosed except for treatment purposes.
  14. Make sure separated employees turn in their keys and building cards and terminate their network access.
  15. Make sure you track required disclosures of PHI.
  16. Make sure written authorizations to use and disclose PHI are received except for treatment, payment, operations, and exceptions permitted in the policy.
  17. Make sure new and existing employees participate in HIPAA privacy training.
  18. Make sure everyone is aware of the rights patients have to review (and get copies of) their records and what procedures will be followed.
  19. Make sure everyone knows who patients should speak with if they have questions about their HIPAA privacy rights.
  20. Be sure everyone in your work force knows who the privacy officer is and who they should contact with patient privacy questions or problems. The privacy officer is Paul Hackman, who can be reached at or (951) 827-3257.