HIPAA at the chairside.
What counts as protected health information, the minimum-necessary rule, and the everyday habits that keep you compliant at the chairside.
Why this matters
You handle protected health information on every draw, the name on the band, the date of birth, the tests on the requisition. The exam tests HIPAA as practical "is this allowed" scenarios, and the safe answer almost always comes from two ideas: protect the information, and share only the minimum necessary.
Key takeaways
- PHI is anything that links a person to their care. Name, date of birth, medical record number, diagnosis, and the requisition itself. Protect it on paper and on screen.
- Minimum necessary. Access and share only what the task requires. A phlebotomist needs the order, not the whole chart.
- Do not discuss patients in public. No names in hallways, elevators, or breakrooms. Turn screens and requisitions away from view.
- Stay in your lane on results. Phlebotomists collect; they do not release or interpret results. Direct the patient to the ordering provider.
- Treatment, payment, operations are permitted by default. Most other disclosures need patient authorization. When you are unsure, do not disclose, ask.
- A breach gets reported. A lost requisition, a label sent to the wrong place, an overheard disclosure: report it through your facility's process promptly.
The classic stem: a family member asks for the patient's results in the waiting room. The correct answer is that you do not provide them and you direct the request to the ordering provider. Being friendly is not the same as being compliant.
Standards reference: HIPAA Privacy Rule, 45 CFR Part 164. Cross-referenced against the ASCP BOC PBT content guideline, Safety & Compliance domain. PhlebotomySkills.com is exam-preparation content. Not a degree, not for-credit coursework, and not affiliated with any certifying body.
Ready to test yourself?
Practice bank · Simulator · Flashcards
Exam-difficulty questions with CLSI-cited rationales.