(a) If Oklahoma Department of Human Services (OKDHS) staff is familiar with the person or entity requesting protected health information (PHI), OKDHS verifies the authority of the person or entity to receive the information. If OKDHS staff is not familiar with the person or entity requesting PHI, OKDHS verifies identity and authority of the person or entity to receive the information.   • 1

(b) OKDHS staff must exercise care to avoid incidental disclosures of PHI through oral communications.   • 2

(c) Appointment reminders may be left on answering machines and voice mail systems, unless the client has requested an alternate means of communication.   • 3

(d) Faxing PHI is allowed when:

• (1) only the minimum necessary PHI is sent;
• (2) the information is not sensitive or it is an emergency situation;
• (3) the information is accompanied by Form HIPAA-8, Health Information Fax Cover Sheet; and
• (4) reasonable efforts are made to ensure the fax transmission is sent to the correct destination.

(e) PHI is only photocopied when necessary for treatment, payment, or health care operations, when authorized by the client or the client's personal representative, or when required by law.

(f) PHI must be discarded in accordance with OAC 340:2-21-35.

(g) Client's case records and other forms of PHI must be filed and kept safe from unauthorized access. 

(h) Clients and visitors must be appropriately escorted in a secured area to ensure there is not unauthorized access to PHI.

(i) Computer monitors must be positioned to prevent unauthorized observation or access.  Unattended computers must be returned to a password protected screen saver.

(j) Correspondence, including e-mail and fax, that includes PHI is allowed if limited to the minimum necessary standard.