Be cautious with your staff access rights to PHI
Covered entities should be very cautious with providing sales and marketing representatives with access to protected health information (PHI) because, as a general matter, there is no reason for these representatives to have access to PHI. Even within the covered entity’s own workforce, access to PHI must be pursuant to a specific HIPAA exception or covered by a HIPAA compliant patient authorization. Members of covered entity’s workforce are not under any blanket permission to access PHI.
If a referring provider wishes assistance on the healthcare records or results of testing for a particular patient, it is advisable for the sales and marketing representative to pass this request along to the appropriate individual within the covered entity, rather than directly access the patient record himself or herself. Furthermore, sales and marketing representatives should not proactively review patient healthcare records or patient billing records (which contain PHI) unless a specific HIPAA exception exists to protect the activity.