Skip to main content
How can we help?
< All Topics
Print

Confidentiality/HIPAA

Posted
Updated
ByCognitive Organics

Topic: What is PHI

What is PHI?

Protected Health Information (PHI) is any information that:

  1. Identifies a client (or could reasonably identify them), and
  2. Relates to their health, care, or payment for care.

PHI can be:

  • Name, address, phone number, email, date of birth
  • Insurance details, account numbers
  • Diagnoses, medications, lab results, treatment plans, progress notes
  • Appointment dates and times, even without detailed content in some contexts

In a smaller community, even a vague description can become PHI. For example:

“My 3pm telehealth client who lives in [tiny town] with three kids and works at the school”

might be enough to identify someone locally.

Where PHI shows up in your work

  • EHR notes and documentation
  • Intake forms, treatment plans, lab orders, consult notes
  • Voicemails, emails, texts, internal chat messages
  • Scheduling, billing, and insurance information

Not PHI

  • Training examples that are fully de-identified (no way to connect them back to a specific person)
  • General education materials, policies, and procedures with no client identifiers

Limits of Confidentiality

Confidentiality is not absolute. There are times when we are required to share information, even without the client’s permission, such as:

  • Suspected abuse or neglect of a child, elder, or vulnerable adult
  • Serious and imminent risk of harm to self or others (duty to protect/warn where applicable)
  • Certain court orders, subpoenas, or legal requirements
  • Some public health or safety reporting requirements

When these situations arise, we share only the minimum necessary information and follow Cognitive Organics’ policies and applicable laws.

Client Access & Documentation Reality

Clients have the right to request access to their records, within the limits of state and federal law.

Write documentation with the assumption that it could be:

  • Read by the client
  • Reviewed by another provider
  • Viewed by an auditor, payer, or attorney

Avoid judgmental language, personal opinions, or venting in notes. Stick to clear, factual, professional documentation that reflects respect, accuracy, and clinical reasoning.

Topic: The Minimum Necessary Rule

The minimum necessary rule means:

You only access, use, or share the least amount of PHI necessary to do your job.

This applies to:

  • What charts you open
  • What information you include when you talk to another staff member
  • What you send in messages or share for billing or administrative purposes

Accessing records

  • Access only the charts of clients you are directly involved with or have a legitimate work reason to view.
  • Never open charts out of curiosity (friends, family, co-workers, people you know from the community).

Sharing with coworkers

When consulting with another clinician, supervisor, or staff member:

  • Share what they need in order to help or do their part.
  • You almost never need to share a person’s entire history to get meaningful support.

Billing and administrative staff

Billing and admin staff typically need:

  • Demographics, insurance, dates of service, procedure codes, and sometimes high-level diagnosis information.

They do not need to read full process notes to do their jobs.

Whenever you’re unsure, ask yourself:

“What is the least amount of information I can share for this person to effectively do their job?”

And when in doubt, consult your supervisor or the Privacy/Compliance contact.

Topic: How we communicate

Approved communication methods

PHI should be communicated only through approved, secure channels, such as:

  • Our EHR and its internal messaging
  • Our approved telehealth platform(s)
  • Secure messaging tools designated by Cognitive Organics
  • Company email accounts only if they are configured for secure use with PHI and this is allowed by policy

Not approved

Do not use:

  • Personal email accounts (Gmail, Yahoo, etc.) for PHI
  • Standard text messages or SMS from your personal phone for clinical content
  • Social media messages (Facebook, Instagram, etc.)
  • Personal cloud storage for client documents

In-person and remote conversations

  • Do not discuss client details in hallways, waiting rooms, elevators, or other public spaces where others can overhear or identify the client.
  • When working remotely, make sure:
    • You are in a private space
    • No one else can see your screen
    • You lock your device when you step away
    • You avoid speakerphone unless you are alone

If you are unsure whether something is an appropriate way to communicate, pause and ask before sending.

Topic: Social Media

On social media:

  • Never confirm or imply that someone is a client.
  • Do not comment on, like, or share client posts in a way that connects you as their provider.
  • Do not message clients about clinical concerns or appointments through social media platforms.
  • Do not post photos, videos, or screenshots that include client names, charts, whiteboards, schedules, or any other PHI in the background.

Even vague or “blurry” posts can sometimes be identified in small communities. When in doubt, leave it out.

Texting

  • Do not use your personal phone to text clients about clinical matters, PHI, or anything beyond very basic logistics, unless explicitly allowed and secured under policy (and even then, keep it minimal).
  • If Cognitive Organics uses a secure texting or messaging system, follow that policy closely and use approved templates where provided.

Boundaries

  • Do not “friend,” follow, or connect with clients on your personal social media accounts.
  • Do not post about specific client situations in ways that a client or others in the community might recognize, even if you don’t use names.

If you have questions about a particular boundary or situation, bring it to your supervisor or Clinical Director.

Topic: Handling Breaches

What is a potential breach?

A potential breach is any situation where PHI might have been seen, accessed, or shared by someone who should not have received it, such as:

  • Emailing client information to the wrong address
  • Uploading a document to the wrong chart
  • Leaving a screen with PHI visible where others can see it
  • Losing a laptop, phone, or paper file containing PHI
  • Discussing a client loudly in a public place where others can identify them

Not every mistake will legally qualify as a full “breach,” but every potential issue must be taken seriously and reported.

What to do immediately

If you think a privacy mistake has happened:

  1. Try to secure the situation
    • Close or lock your screen.
    • Retrieve or securely store any physical documents.
    • If possible, ask the unintended recipient not to read or share the information and to delete it.
  2. Report it right away
    • Notify your supervisor and fill out an incident report.
    • Provide the key facts: what happened, what information was involved, who might have seen it, and what you did so far.

Our culture around reporting

We expect honest reporting of potential breaches and privacy concerns.

  • You will not be punished for bringing forward a good-faith mistake or concern.
  • Hiding or failing to report a serious privacy issue can create much larger problems for clients, for you, and for the organization.

What happens next

Leadership/Compliance will:

  • Review what happened and decide if it meets the legal definition of a breach.
  • Determine if clients, regulators, or others must be notified.
  • Identify whether system changes, additional training, or process updates are needed to reduce future risk.

Your responsibility is to act quickly, report honestly, and cooperate with any follow-up steps.

Table of Contents