When most doctors think of Protected Health Information (PHI), they automatically associate it with paper and digital files. Under the Health Insurance Portability and Accountability Act (HIPAA), such files can certainly be classified as PHI, assuming they contain personal information about a patient. However, speech is another form of PHI that shouldn't be overlooked.
Covered entities must treat verbal PHI in the same manner as any other PHI, implementing the necessary safeguards to protect it from unauthorized use and disclosure. If a worker unknowingly discusses a patient's health condition in a public office, and someone else hears the information and later uses it for nefarious purposes, it could be considered a HIPAA violation. Instances of verbal PHI breaches such as this are rare, but it's still something that covered entities need to be aware of.
Some doctors and other covered entities question whether or not private rooms and/or soundproof walls are required under HIPAA. If patient rooms are equipped with soundproof walls, conventional wisdom should lead you to believe that instances of verbal PHI disclosure would be less likely. This is particularly true in hospitals, as doctors and nurses often visit patient rooms to discuss treatment options and other personal information that falls within the realm of PHI.
According to the Department of Health and Human Services (HHS), the Privacy Rule – the rule governing all forms of PHI, including verbal – does not require any structural changes such as this to be made. Rather, it requires covered entities make reasonable efforts to prevent uses and disclosure of PHI not permitted by the Privacy Rule.
The HHS further says that covered entities can make adjustments to their workplace and practice to reduce the risk of verbal PHI disclosure. One such measure is asking patients to take a few steps back. Whether it's a doctor's office or pharmacy, it's not uncommon for multiple patients to wait in line at the front desk. If a patient is standing directly behind another patient, however, he or she may overhear their PHI. Simply asking the patient to take a few steps back is an effective way to prevent such disclosure from occurring.
To recap, covered entities must implement the necessary safeguards to protect PHI – verbal, written and digital – from unauthorized use and disclosure. The Privacy Rule, however, does not require covered entities to make any specific structural changes to their facility.