What PHI is in a facility directory?

By providing patient information while respecting privacy, facility directories facilitate effective communication and support between patients, their families, visitors, and healthcare providers. 

What are facility directories?

A facility directory, in the context of healthcare institutions, is a designated record that contains non-specific information about individuals within the facility's care. It serves as a means to assist callers or visitors in locating patients. This directory enables covered healthcare providers to share pertinent details about patients' presence in the facility without disclosing sensitive medical information. Separate versions of such directories, like those tailored for emergency rooms, can also be maintained while adhering to the established privacy requirements.

The HIPAA Privacy Rule and directories

The HIPAA Privacy Rule allows healthcare institutions to create a facility directory as a resource for communicating information about patients. To ensure patient privacy and autonomy, the rule mandates that individuals be informed about the directory's existence and purpose. 

See also: What is protected health information (PHI)?

What PHI is found in a facility directory?

In a facility directory, the following patient information may be included as part of the protected health information (PHI) without violating HIPAA regulations:

1. Patient name: The directory may contain the patient's full name for identification purposes.
2. Location in the facility: Information about where the patient is currently located within the healthcare facility.
3. General health condition: A non-specific description of the patient's overall health condition, presented in a manner that doesn't reveal specific medical details.
4. Religious affiliation: The patient's religious affiliation may be included in the directory.

What kind of PHI needs to be excluded from a facility directory

Specific types of PHI must be excluded from the directory. This includes any information that could directly identify a patient's health condition, treatment, or medical history. Details such as diagnoses, specific medical procedures, laboratory results, medication lists, and any other information that can unveil intricate medical aspects of a patient's care should be omitted. 

See also: HIPAA Compliant Email: The Definitive Guide

Permitted disclosures of PHI within facility directories 

1. Patient consent: If a patient has been informed about the facility directory and its intended disclosures, and the patient provides explicit consent for their information to be included and shared, the directory information can be disclosed based on their preferences.
2. Emergency situations: In cases where a patient is unable to provide consent due to emergency treatment circumstances or incapacity, directory information about the patient may still be disclosed if doing so is in the individual's best interest as determined by the healthcare provider's professional judgment. This disclosure must not contradict any known preferences previously expressed by the individual.
3. Informing the patient: If a patient is unable to express their preference initially due to emergency situations or incapacity, the healthcare provider must still inform the patient about the facility directory and provide them with an opportunity to express their preference about how, or if, the information may be disclosed as soon as practicable.
4. Religious affiliation: The patient's religious affiliation can be disclosed to members of the clergy, who are given additional access to directory information under the Rule.

See also: What to know before disclosing PHI to the media