Healthcare providers place requests for interpreter services on a web portal that the state agency leases from a private vendor. Interpreters then log into the web portal to fish for appointments. They can access the web portal from their computers or mobile devices and do so frequently at public places such as coffee houses, libraries, waiting rooms, etc. where there is no expectation of privacy. All appointments are posted on a virtual job board indicating: job number, language, date on which the service should be rendered, scheduled start and end time, location of the appointment, mileage from the interpreter's residence to the appointment, and type of invoice (payment policy).
Here is the problem for which we seek HHS guidance. Until June 30, 2018, the state's vendor never showed the patient's name, health record, or the healthcare service to be provided (e.g. surgery, transplant) on the job board when interpreters were fishing for appointments. To view a patient's name, the interpreter had to click on a button to view more information about the appointment. A new vendor took over on July 1. The new job board shows the patient's name and sometimes the healthcare procedure and is viewed by all interpreters when fishing for appointments. We believe this unnecessarily exposes PHI. Are we correct? Furthermore, when the software program issues the automated invoice to the interpreter it shows the patient's name and health record. We believe this unnecessarily exposes PHI. Are we correct?