Drexel University Clinical Covered Entities
Privacy Program Policies and Procedures
Policy Title: Patient Lists
Policy Number: IM-19
Effective Date: April 14, 2003; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Drexel University (DU) requires that patient lists and protected health information (PHI) be maintained in a confidential and secure manner.
This Policy informs the DU clinical practices that patient lists required for day-to-day operations must be maintained in a confidential manner and destroyed by shredding when no longer required.
- All patient lists produced will include the minimum amount of protected health information needed to accomplish the purpose of the list.
- Patient sign-in sheets should not include PHI beyond name and should not include demographics or the mention of diagnostic information.
- Patient lists will be utilized in a confidential manner and destroyed when no longer required.
- If the list is retained it must be stored in a locked drawer or file cabinet.
- The locked drawer or file cabinet should be located in a room that is locked after business hours.
- Production or use of a "patient" list for any purpose other than daily clinical operations must be approved by the Department Administrator prior to production of the list.
Back to Top