340:2-8-11. Safeguarding protected health information
(a) When Oklahoma Department of Human Services (DHS) staff is familiar with the person or entity requesting protected health information (PHI), DHS verifies the authority of the person or entity to receive the information.When DHS staff is not familiar with the person or entity requesting PHI, DHS staff verifies the identity and authority of the person or entity to receive the information, per Section 164.514(h) of Title 45 of the Code of Federal Regulations. • 1
(b) DHS staff must exercise care to avoid incidental disclosures of PHI through verbal communications. • 2
(c) Appointment reminders may be left on answering machines and voice mail systems, unless the client completes Form 13HI006E, Request for Alternative Means of Communication, or provides a written statement requesting an alternate means of communication. • 3
(d) DHS staff may fax PHI when the PHI is sent with Form 13HI008E, Health Information Coversheet, and:
(1) only the minimum necessary PHI is sent;
(2) the information is not sensitive or, when sensitive, it is an emergency situation; and
(3) staff makes reasonable efforts to ensure the fax transmission is sent to the correct destination.
(e) PHI is only photocopied when necessary for treatment, payment, or health care operations when authorized by the client or the client's personal representative or when required by law.
(f) PHI placed in case records or other records must be filed and kept safe from unauthorized access.
(g) Clients and visitors must be appropriately escorted in a secured area to ensure unauthorized PHI access does not occur.
(h) Computer monitors must be positioned to prevent unauthorized PHI observation or access and unattended computers must be returned to a password protected screen saver.
(i) Correspondence, including email and fax that includes PHI is allowed when limited to the minimum necessary standard, per Oklahoma Administrative Code 340:2-8-10.
1.To verify the identity or authority of a person or entity requesting protected health information (PHI), staff obtains documentation, statements, or verbal or written representations.
2.Conversations in public areas must be avoided and/or voices must be lowered and attention paid to unauthorized listeners when discussing PHI.
3.The content of appointment reminders and phone messages must follow the minimum necessary standard.