Q. One of my colleagues made a website accessible to invitees only. He plans to upload a spreadsheet that contains clients’ names and diagnoses. The spreadsheet will be password-protected, but I believe it will compromise our HIPAA compliance nonetheless. Am I correct?
A. Posting patient-identifiable health information on any website, even if it is password-protected, could result in a breach of patient confidentiality. This situation requires a detailed review by your organization’s compliance officer before your colleague proceeds any further.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. She is associate executive director of HIM at Scott & White Healthcare in Temple, TX. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.