Protected Health Information (PHI) and HIPAA Compliance
Emory Decatur Hospital takes the privacy and security of its patients and
their protected health information (“PHI”) very seriously. Emory Decatur Hospital expects its contractors, vendors, suppliers and members of the
media to exhibit the same commitment to maintaining the privacy and
security of its patients’ PHI.
Emory Decatur Hospital has developed a comprehensive set of policies and
procedures relating to the use and disclosure of PHI. A full discussion
of those policies and procedures is beyond the scope of this document,
however, the following is a highlight of those policies.
- Emory Decatur Hospital defines protected health information to mean “any
health information relating to (i) past, present, or future physical or
mental health or condition of an individual; (ii) the provision of
health care to an individual; (iii) the past, present, or future payment
for the provision of health care to an individual; or (iv) information
(data elements) which can be used to identify the individual.”
- Emory Decatur Hospital only uses and discloses PHI in the most
appropriate fashion, defined by the limitations of job function and
“need to know". Emory Decatur Hospital limits access to PHI to the “minimum
necessary” to achieve the intended purpose regarding the use or
disclosure of PHI.
- Emory Decatur Hospital has implemented measures to secure PHI in all formats (including paper and electronic).
- Emory Decatur Hospital has identified the specific uses and disclosures
of PHI that do not require a patient’s consent/authorization or an
opportunity to object to a use or disclosure.
- Emory Decatur Hospital communicates its privacy policies to its patients
and has established processes for gaining patient consent and
authorization related to the use and disclosure of PHI, and provides
notification of the organization’s planned uses and disclosures.
- Emory Decatur Hospital will not ask patients to waive their right to
complain about privacy violations, nor will they be denied access to
care/treatment based on a privacy complaint.
- Emory Decatur Hospital will mitigate, to the extent practicable, any
harmful effect of a use or disclosure of PHI in violation of it privacy
and security policies.
- At a minimum, Emory Decatur Hospital will maintain, in written or
electronic form, policies and procedures, written communications, and
documentation of any required action, activity or designation that
supports compliance to HIPAA regulations, for six (6) years from the
date of its creation or the date when it last was in effect, whichever
- Emory Decatur Hospital does not condone and will not allow any
retaliatory acts toward any individual, including but not limited to,
patients and the organization staff for reporting any violation of the
organization’s privacy policies or a breach of the organization’s
All partners of Emory Decatur Hospital, including its contractors, vendors
and suppliers are responsible for (i) complying with these policies and
procedures; non-compliance may result in disciplinary action up to and
including discharge, or termination of contract (ii) taking an active
role in enforcing privacy policies and reporting suspected violations
without fear of retaliation, if preferred, the Compliance Hotline may be
used for reporting suspected violations and breaches anonymously.