HIPAA Cheat Sheet for Unit Clerks: Quick PHI and Privacy Compliance Guide

HIPAA Overview

HIPAA sets national standards to protect Patient Privacy and define clear Confidentiality Requirements for anyone who handles health information. As a unit clerk, you help safeguard Protected Health Information (PHI) every time you schedule, file, route messages, or manage charts.

Three core rules guide your daily work: the Privacy Rule (who may access information), the HIPAA Security Rule (how ePHI is protected), and the Breach Notification Rule (what to do when something goes wrong). The “minimum necessary” standard and role-based access keep disclosures limited to what your job requires.

• Only access what you need to perform your task (minimum necessary).
• Use approved systems and follow Access Controls like unique logins and MFA.
• Report suspected incidents immediately—do not investigate on your own.

PHI Definition

Protected Health Information (PHI) is any individually identifiable health information about a person’s past, present, or future health or payment for care—whether spoken, written, or stored in Electronic Health Records (EHR) or other systems. If it can identify a patient and relates to health or payment, treat it as PHI.

Common PHI identifiers

• Names; geographic details smaller than a state (street address, city, ZIP).
• All elements of dates (except year) related to an individual (e.g., DOB, admit/discharge).
• Phone and fax numbers; email addresses.
• Social Security, medical record, and health plan beneficiary numbers.
• Account, certificate/license, and vehicle identifiers (including license plates).
• Device identifiers/serial numbers; URLs; IP addresses.
• Biometric identifiers (finger/voice prints); full-face photos and comparable images.
• Any other unique identifying number, characteristic, or code.

De-identified data removes these identifiers so the person cannot reasonably be identified. When in doubt, treat information as PHI and apply privacy safeguards.

Unit Clerks' Role in HIPAA Compliance

You are often the first point of contact, making you essential to privacy compliance. Your responsibilities—registering patients, updating demographics, answering calls, routing documents, and managing charts—must align with Access Controls and the minimum necessary standard.

Daily responsibilities with a privacy lens

• Verify identities using at least two identifiers before discussing or updating records.
• Position screens away from public view and log off when stepping away.
• Secure paper charts; use sign-out logs and return records promptly.
• Use approved EHR workflows; never share passwords or use personal devices.
• Limit hallway and waiting-room conversations to non-PHI.

Red flags to escalate

• Requests for entire records “just in case” or from unauthorized individuals.
• Misdirected mail, email, faxes, or printouts containing PHI.
• Lost badges, unattended records, or suspicious attempts to bypass procedures.

Privacy Compliance Best Practices

Physical and workstation safeguards

• Lock screens, clear desks, and store PHI in secure areas when not in use.
• Use privacy filters where the public could view monitors.
• Escort visitors; keep non-staff out of record storage areas.

Administrative and people practices

• Follow role-based Access Controls and confidentiality agreements.
• Complete required training and follow documented procedures.
• Report incidents immediately to your supervisor or Privacy/Security Officer.

Data Handling Procedures

Paper records

• Print only what is needed; collect pages immediately from printers.
• Use cover sheets in public areas; never leave PHI unattended.
• Transport charts face-down in secure folders; maintain check-in/out logs.
• Dispose of PHI in locked shred bins—never standard trash or recycle.

Electronic Health Records (EHR)

• Access the correct chart every time; confirm two identifiers before entry.
• Use organization-approved devices and networks; enable MFA where available.
• Do not copy ePHI to unencrypted USBs, personal email, or cloud storage.
• Close sessions and log off; audit trails may be reviewed for inappropriate access.

Storage, transfer, and disposal

• Store PHI only in approved systems with encryption and Access Controls.
• Use secure scanning and faxing procedures; verify recipients before sending.
• Follow IT guidance for secure media wiping and device disposal.

Communication Guidelines for PHI

In-person conversations

• Discuss PHI in private areas whenever possible; keep voices low.
• Ask the patient whom you may speak with and note preferences.

Phone calls

• Authenticate callers with two identifiers before sharing PHI.
• Use the minimum necessary; avoid leaving detailed PHI on voicemail—leave a callback number instead.
• When unsure, call back using official numbers from the record, not those provided by the caller.

Email and secure messaging

• Use encrypted email or approved patient portals for PHI; never use personal email.
• Double-check recipients and attachments; include only what is necessary.

Faxing and printing

• Use a cover sheet that masks PHI; pre-program frequent numbers to reduce errors.
• Confirm the recipient and request acknowledgment of receipt when appropriate.

Patient companions and preferences

• It is acceptable to share limited PHI with family/friends present when the patient agrees or does not object.
• Respect documented restrictions and special communications requests.

Sign-in sheets and whiteboards

• Permitted with the minimum necessary—avoid diagnoses or detailed clinical notes.
• Use first name/last initial or other limited information per policy.

Breach Reporting Protocols

What counts as a breach

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. Exceptions exist (e.g., certain good-faith or inadvertent disclosures), but a formal risk assessment determines whether notification is required.

Immediate steps to take

• Contain the issue: recover misdirected documents, stop further disclosure, and secure systems.
• Notify your supervisor and the Privacy/Security Officer at once; complete an incident report.
• Preserve evidence (emails, faxes, envelopes, screenshots) and document who was involved.

Notifications and timelines

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• Report breaches of 500 or more individuals to HHS and, when required, local media within 60 days.
• For fewer than 500 individuals, log the breach and submit to HHS within 60 days after the calendar year ends.
• Follow your organization’s Breach Notification procedures and scripts; do not contact patients on your own unless instructed.

Quick recap for unit clerks

• Use minimum necessary access, verify identities, and secure workspaces.
• Handle EHR and paper records only in approved, controlled ways.
• Report suspected incidents immediately; documentation matters.

FAQs.

What constitutes PHI under HIPAA?

PHI is any individually identifiable health information—spoken, written, or electronic—about a person’s health status, care, or payment. If it can identify the patient (e.g., name, DOB, MRN, contact details, photos, account numbers) and relates to health or payment, it is PHI and must be protected.

How should unit clerks handle PHI securely?

Use role-based Access Controls, verify identities with two identifiers, and apply the minimum necessary standard. Keep screens and documents out of public view, use encrypted/approved systems for ePHI, collect printouts promptly, and place all PHI slated for disposal in secure shred bins. Never share passwords or store PHI on personal devices.

When must a breach be reported?

Report suspected breaches immediately to your supervisor and Privacy/Security Officer. Individuals must be notified without unreasonable delay and no later than 60 days after discovery. Large breaches (500+ individuals) require prompt notices to HHS (and often media), while smaller events are logged and reported to HHS annually per policy.

What communication methods comply with HIPAA?

Use approved, secure channels: encrypted email, secure messaging, and patient portals for PHI. Phone disclosures require caller verification and minimum necessary details. Faxing is acceptable with safeguards like cover sheets and recipient verification. Avoid unencrypted personal email, unauthorized apps, and public conversations about PHI.