HIPAA, PHI, Electronic Health Records & Medical Terminology

Key Takeaways

  • HIPAA's Privacy Rule governs PHI use and disclosure while the Security Rule governs safeguards specifically for electronic PHI (ePHI).
  • The minimum-necessary standard requires accessing or sharing only the PHI needed to complete a specific task.
  • EHR documentation errors are corrected with a single line through the entry plus a signed, dated amendment, never by erasing or deleting.
  • The Joint Commission Do-Not-Use abbreviation list flags entries such as 'U' for unit and trailing zeros as prohibited because they cause dosing errors.
  • Medical terms typically combine a root, a prefix, and a suffix, such as cardi/o (heart) plus -itis (inflammation) forming carditis.
Last updated: July 2026

HIPAA: Privacy and Security

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, sets the federal floor for protecting patient health information. Two rules matter most for the PCT/A:

  • The Privacy Rule governs how protected health information (PHI) may be used and disclosed, regardless of its format (paper, verbal, or electronic).
  • The Security Rule governs electronic PHI (ePHI) specifically, requiring administrative, physical, and technical safeguards -- things like access controls, workstation security, and audit logs.

Both rules apply to covered entities (providers, health plans, clearinghouses) and their business associates (vendors who handle PHI on the entity's behalf).

The Security Rule organizes safeguards into three categories:

  • Administrative safeguards -- policies, training, and designated security/privacy officers
  • Physical safeguards -- locked file rooms, screen privacy filters, and secured server rooms
  • Technical safeguards -- unique login credentials, automatic screen lock, encryption, and audit trails

Common everyday HIPAA violations a PCT/A must avoid include discussing a patient's condition in an elevator or cafeteria, leaving a printed chart face-up at the nurses' station, texting patient details over a non-secure personal messaging app, and posting about a shift or a patient on social media, even without using a name.

Protected Health Information

PHI is any individually identifiable health information linked to one of the 18 HIPAA identifiers, including:

  • Name, address, and all dates related to an individual (birth, admission, discharge)
  • Phone/fax number, email address, and Social Security number
  • Medical record number, health plan beneficiary number, and account number
  • Biometric identifiers and full-face photographs

Sharing or discussing any of these details outside of a legitimate care purpose is a HIPAA violation, whether the disclosure happens verbally in a hallway, on a printed report left in view, or through an unsecured text message.

The minimum necessary standard requires that PHI be accessed, used, or disclosed only to the extent needed to accomplish the intended purpose. A PCT/A assigned to one unit should not browse records on another unit out of curiosity, and should share only the specific information a coworker needs to complete their task -- not the patient's entire chart. This standard does not apply to disclosures made directly to the patient or for direct treatment purposes.

Electronic Health Record Documentation

The EHR is the legal record of care. Sound documentation practice requires that entries be:

  • Accurate -- reflect exactly what was observed or performed
  • Timely -- entered as close to the time of care as possible, never charted in advance
  • Objective -- factual observations, not opinions or assumptions

When an entry error is discovered, the correct fix is a single line drawn through the incorrect entry (leaving it legible) with a signed, dated correction noted beside it -- the original entry is never erased, deleted, or obscured, because the EHR is a legal document.

Access controls matter as much as documentation accuracy: every PCT/A logs in with a unique username/password, never shares credentials, and logs off any workstation before stepping away. Audit trails record every user who views or edits a chart, so inappropriate access is traceable.

Medical Terminology Building Blocks

Most clinical terms combine a root (the body part or system), a prefix (modifies meaning, often location/number/time), and a suffix (condition or procedure).

Word PartMeaningExample Term
cardi/o (root)heartcarditis -- inflammation of the heart
brady- (prefix)slowbradycardia -- slow heart rate
-itis (suffix)inflammationdermatitis -- inflammation of the skin
-ectomy (suffix)surgical removalappendectomy -- removal of the appendix
hem/o (root)bloodhematuria -- blood in the urine
-emia (suffix)blood conditionhypoglycemia -- low blood sugar
hyper-/hypo- (prefixes)above normal / below normalhypertension -- high blood pressure
-algia (suffix)painneuralgia -- nerve pain

Directional prefixes are especially high-yield: tachy- means fast (tachycardia), brady- means slow (bradycardia), ante- means before (antepartum), and post- means after (postoperative). Recognizing these small word parts lets a PCT/A decode an unfamiliar term without memorizing every word individually.

Abbreviations and the Do-Not-Use List

Standardized abbreviations (NPO = nothing by mouth, PRN = as needed, STAT = immediately) speed communication, but some abbreviations are dangerous enough that the Joint Commission maintains an official Do-Not-Use list, including:

  • 'U' for unit -- can be misread as a zero or the number four
  • 'IU' for international unit -- can be misread as IV or the number ten
  • 'Q.D.' or 'Q.O.D.' -- can be confused with each other
  • A trailing zero after a decimal point (e.g., 1.0 mg) -- can be misread as 10 mg if the decimal is missed
  • A lack of a leading zero before a decimal (e.g., .5 mg) -- can be misread as 5 mg

Using the full word instead of these abbreviations prevents medication and dosing errors, directly supporting the National Patient Safety Goal for safe medication use. The Do-Not-Use list applies to all handwritten orders and free-text entries in the medical record, including PCT/A documentation, order transcriptions, and medication-related communication -- it does not apply to pre-printed forms that already display the full, standardized term.

Test Your Knowledge

A coworker asks a PCT/A to look up a celebrity patient's lab results out of curiosity, with no assigned care task involved. Accessing this record would violate which concept?

A
B
C
D
Test Your Knowledge

Which abbreviation appears on the Joint Commission's Do-Not-Use list because it can be misread and cause a medication error?

A
B
C
D