This document defines protected health information (PHI) and how it should be handled and protected. PHI is individually identifiable health information that is transmitted or maintained by a covered entity. It must be protected by removing identifiers, using statistical methods, or stripping listed identifiers such as names or dates. PHI can be shared with the individual or for treatment, payment, and healthcare operations. With permission, it can also be shared with family and advocates. Employees must make reasonable efforts to limit PHI disclosure to the minimum necessary for their job duties. Penalties for improper access or disclosure of PHI include fines up to $250,000 and imprisonment up to 10 years.

2. WHAT IS PHI-PROTECTED HEALTH INFORMATION?
Protected health information (PHI)
–Individually identifiable health information
–Transmitted or maintained in any form or medium by a Covered Entity or
its Business Associate
♦Health information, including demographic information
♦Relates to an individual’s physical or mental health or the provision of or
payment for health care
♦Identifies the individual

3. HOW DO YOU PROTECT PHI
♦Removal of certain identifiers so that the individual who is subject of the
PHI may no longer be identified
♦Application of statistical method or
♦Stripping of listed identifiers such as:
–Names
–Geographic subdivisions < state
–All elements of dates
–SSNs

4. WHO CAN HAVE THIS INFORMATION
• The individual may have a copy of their own PHI at a reasonable cost to
them.
In addition:
Health plans can contact their enrollees
Providers can talk to their patients
• For treatment, (consultation and referrals)
• For payment (reimbursement for services)
• For health care operations (administrative, legal, fraud/abuse detection)

5. PATIENT RELEASE OF INFORMATION FOR FAMILY,
FRIENDS, AND HEALTH ADVOCATES
The patient :
Must give individual opportunity to agree or object:
–May disclose PHI relevant to person’s involvement in care or payment to
family, friends, or others identified by individual
–May notify of individual’s location, condition, or death to family, personal
representatives, or another responsible for care
•Applies to disaster relief efforts
♦When individual is not present or incapacitated:
–Above uses and disclosures are permissible using professional judgment

6. MINIMUM NECESSARY
Your duty as an employee of this organization:
• Make reasonable efforts to limit the use or disclosure of, and requests
for, PHI to minimum amount necessary to accomplish intended purpose
• In plain terms this means if you do not need the information to perform
your job duties, you may be subject to a write-up, or termination as a
result of casual prying into our patient’s medical record.
• Patient health information is never to be discussed in a non-
professional manner. Nor should this information be discussed in
public, or in a setting where you do not know who will hear. What if this
were your family member being discussed…or YOU

7. PENALTIES
For knowingly obtaining or disclosing identifiable health information
relating to an individual in violation of the Rule:
–Up to $50,000 & 1 year imprisonment
–Up to $100,000 & 5 years if done under false pretenses
–Up to $250,000 & 10 years if intent to sell, transfer, or use for commercial
advantage, personal gain or malicious harm
♦Enforced by DOJ
HHS/OCR 2003 42 USC
§1320d-6

8. CONCLUSION
By viewing this presentation, you now have the knowledge of what PHI is,
who can view PHI, how do you protect PHI, and the penalties and fines
for failing to adhere to these guidelines.
You employment depends upon your understanding the guidelines
presented. Please contact Ann Smith, Compliance Officer, at ext. 4737
with any additional concerns or questions you may have.
Your login today is evidence of your training. This training is a mandatory ,
and future trainings will be made available as Health and Human
Services makes changes to the Protected Health Information rules and
regulations.