Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org , and we will work with our experts to provide the information you need.
Q: My facility no longer registers patients under aliases, but will allow them to opt out of the patient directory. However, opting out of the registry will not exclude our patients from the operating room (OR) list. At one time, the facility’s CEO received the daily OR list with full patient names so he could visit board members, donors, or others whom he knows at our facility. HIM changed this practice so that patients’ names would not be on the OR schedule provided to the CEO. The CEO took this matter to the hospital attorney, who said the names could be included because the use of PHI by the CEO to determine whether and when a patient visit is appropriate is permitted by HIPAA as it is part of healthcare operations. Is it a violation of HIPAA for the CEO to use PHI to track patients in this manner?
A: Healthcare organizations are permitted to use PHI without patient authorization or consent for their own healthcare operations. This use could be considered part of healthcare operations, so it would not be a violation of HIPAA.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for the Central Texas Division of Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA . This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.