Handling PHI when reporting workplace violence

When evidence used in workplace violence (WPV) reports contains identifiable details about a patient that could link them to the organization and the incident it is considered protected health information (PHI). 

What is PHI? 

PHI is defined in Section 160.103 of the Health Insurance Portability and Accountability Act. It is any individually identifiable information created, received, or transmitted by covered entities and their business associates. A Journal of Nuclear Medicine Technology study notes, “PHI is used within a medical facility and includes verbal and written communications. PHI can be found in computer files, paper medical records, information from insurance companies, information from the provider, and information from legal offices.” The information considered PHI includes details about the person's past and present health, provisions of healthcare, and payment for healthcare services. 

When is evidence used for reporting considered PHI? 

If the images or videos used to file the report clearly show the patient's identity or are accompanied by identifiable details, like their name, it falls under the category of PHI. Even if the primary intent of the report is to document WPV, the inclusion of identifiable information requires adherence to HIPAA’s regulations regarding privacy and security. 

How to securely share digital evidence during the reporting process

1. Avoid using unsecured methods of communication to transmit PHI. Instead use HIPAA compliant email platforms like Paubox for secure evidence management. 
2. Preserve a clear chain of custody to ensure the integrity of the evidence, including documenting every interaction with the evidence including who accessed it and when. 
3. Not all personnel should have unrestricted access to digital evidence. The use of role-based access controls should therefore extend to evidence management.
4. Make use of cryptographic hash values to help verify the integrity of digital evidence once evidence is stored. The hash value detects any alterations to the original data. 

FAQs 

Why is WPV so prevalent in healthcare?

WPV is prevalent in healthcare due to the high-stress environment of healthcare settings, combined with the vulnerability of patients and their families. 

What are the limitations of the Privacy Rule?

While the Privacy Rule establishes standards for the protection of PHI, it does not fully account for the advancements in digital communication, which is a vulnerability that the HHS, NIST, and CISA attempt to resolve through their guidance.