What is protected health information (PHI) under HIPAA?

PHI is any information that can identify a patient and relates to their health status, treatment, or payment for care. This includes names, addresses, dates of service, diagnosis codes, photographs, medical record numbers, and any combination of data points that could identify an individual. PHI is protected whether it exists in written, electronic, or verbal form.

What does the minimum necessary standard mean in practice?

The minimum necessary standard means you should access, use, or disclose only the least amount of PHI needed to accomplish a specific task. For a CPO, this means opening only the chart of the patient you are currently seeing, sending only relevant records to referral providers, and avoiding discussions of patient information in areas where others may overhear. It does not apply to treatment disclosures between providers directly involved in a patient's care.

How do you correctly fix a documentation error in a medical record?

Draw a single line through the incorrect entry so the original is still readable. Write the correct information beside or above it. Initial and date the correction. Never use white-out, multiple lines to obscure text, or simply delete an electronic entry without an audit trail. Medical records may be reviewed legally or for audits, and all original entries must remain visible to demonstrate the record was not altered inappropriately.

HIPAA and Medical Records: CPO Exam Guide

HIPAA in the Eye Care Setting

The Health Insurance Portability and Accountability Act (HIPAA) establishes federal standards for protecting patient health information. As a CPO, you handle protected health information every day, from the moment a patient checks in through every test you perform and document. Understanding your HIPAA obligations is both a legal requirement and a professional responsibility.

Protected Health Information (PHI)

Protected Health Information (PHI) is any information that can be used to identify a patient and relates to their health status, treatment, or payment for healthcare. PHI includes:

Name, address, date of birth, phone number, email address
Medical record numbers and account numbers
Dates of service, diagnosis, and treatment
Photographs that could identify the patient
Any combination of data elements that could identify an individual

PHI exists in three forms: written (paper records), electronic (ePHI in EHR systems), and verbal (spoken during conversations). All three are protected under HIPAA.

Even a seemingly innocuous detail can constitute PHI when combined with other information. A patient's eye condition alone may not identify them, but combining it with their name, employer, or date of birth creates identifiable PHI that requires protection.

Minimum Necessary Standard

The minimum necessary standard means you should access, use, or disclose only the minimum amount of PHI needed to accomplish the intended purpose. In practice:

Access only the patient records you need to do your job for that patient
Do not browse charts of patients you are not directly caring for
When sharing information with another provider, send only the records relevant to the referral
Do not discuss patient information in public areas where others may overhear

A common HIPAA violation in clinical settings is discussing patient cases loudly in hallways, waiting rooms, or elevators. Keep patient conversations within the exam room or clinical areas where access is controlled. When calling a patient, verify their identity before discussing any health information.

Permitted Disclosures

HIPAA permits sharing PHI without patient authorization in specific situations:

Treatment: sharing records with other treating providers
Payment: billing and insurance processing
Healthcare operations: quality assurance, staff training, auditing
Public health reporting: required disease reporting to health departments
Legal requirements: court orders, law enforcement with valid legal process

Medical Record Documentation Standards

Beyond HIPAA compliance, medical records must meet documentation standards for clinical and legal purposes:

Accuracy: record what was actually observed and done
Completeness: all relevant information must be included
Timeliness: document contemporaneously or as close to the encounter as possible
Legibility: all entries must be readable
Authentication: sign, date, and time every entry

Standard Ophthalmic Abbreviations

OD (Oculus Dexter): right eye
OS (Oculus Sinister): left eye
OU (Oculus Uterque): both eyes
cc: with correction
sc: without correction
BCVA: best-corrected visual acuity
IOP: intraocular pressure

Correcting a documentation error by crossing it out with multiple lines or using correction fluid (white-out). The correct method is to draw a single line through the error, write the correction above or beside it, and initial and date the correction. This preserves the original entry for legal and audit purposes.

Electronic Health Records (EHR)

Electronic records require additional security measures: unique user login credentials, automatic log-off, audit trails of who accessed what records and when, and encryption for data transmission. Never share your login credentials with colleagues, even temporarily.

Key Takeaways

PHI is any information that can identify a patient combined with their health information
Minimum necessary standard: access only the PHI needed for the immediate task
PHI can be shared without authorization for treatment, payment, and operations
Document accurately, completely, legibly, and contemporaneously
Correct errors with a single line, initial, and date; never use white-out
Never share EHR login credentials