The purpose of HIPAA is designed to encourage the efficiency and effectiveness of the healthcare system while protecting the security and privacy of healthcare information. Specifically, the Privacy part of the regulation is designed to give patients more control on the use and disclosure of their medical information.

Although the health record is the physical property of Carilion Health System, the information belongs to the patient. Patients have the right to:

• Get a copy and review their medical record.
• Amend their record.
• Receive an accounting of who we have disclosed their information to if other than treatment, payment or healthcare operations.
• Restrict access to their record.
• Request a specific way for us to communicate with them.
• Receive a copy of our Notice of Privacy Practices.

Our organization has many types of information that it must secure. HIPAA places a special emphasis on protected health information (PHI). PHI includes anything that can be used to identify a patient, including but not limited to a patient’s: name; address; Social Security number; phone number; condition or diagnosis; date of treatment or service and numerous other identifiers.

We must have authorization from patients to disclose their medical information for purposes other than treatment, payment or healthcare operations, or except as required or allowed by law or regulation.

You are granted access to protected health information (PHI) based on a need to know and minimum necessary rule. Your need to know is determined by your roles and responsibilities in the organization, which in turn will provide the minimum necessary information to accomplish your assigned tasks.

HIPAA allows you to have all the necessary information you need to do your job and allows you to share information about patients with other appropriate persons. Using or disclosing patient health information inappropriately may subject you to disciplinary action and/or criminal charges and/or monetary penalties.

As an employee you are not allowed to access health information or demographic information including addresses or birthdays, about co-workers, friends, neighbors, or family members unless the information is needed to perform your job responsibilities. Also as an employee, you are not allowed to modify your own medical record nor create, authorize or sign your own prescriptions except in pre-approved situations.

Never leave a disk, CD or document containing PHI around for others to see or copy. Store all computer disks in locked areas. Avoid labels that draw attention to file content. Store documents in a safe place and keep them turned over when not in use.

A "No News" patient means no information about this patient is to be discussed or given out to anyone outside of the patient’s care team.

Carilion's Privacy Officer and Information Security Officer are available to assist you if you have questions concerning use and disclosure of patient information or a patient's right of access their medical information.