HIPAA violations possible unless e-mail is controlled
With more and more health information being transferred electronically, risk managers must be more cautious than ever about complying with the Health Insurance Portability and Accountability Act (HIPAA), says Cheryl Camin, JD, an attorney on the HIPAA practice team at the Dallas law firm of Gardere Wynne.
The new Security Standard portion of HIPAA specifically requires that electronic protected health information, including e-mails, be protected. There must be administrative safeguards as well as physical and technical protection. The strategies for compliance can include everything from shutting down computer screens when the user is away to encryption of messages.
"You can have serious violations of the Security Standard by e-mailing things back and forth. Even if the breach is not intentional, things get forwarded from one person to another and before you know it someone’s health information is in front of a thousand people," she says. "Less is always more when it comes to protected health information. If you don’t have to disclose it, if it doesn’t deal with the treatment at hand, if it doesn’t have to go in that e-mail, don’t put it in there."
Also don’t put anything confidential in the "Re:" line on an e-mail, not even anything general like "your test results" or "treatment plan," which could pique someone’s interest.
Risk managers may be tempted to write a policy that prohibits sending certain kinds of information by e-mail, but Camin cautions that such a strategy can backfire.
"The difficulty is that you do want to contain the risk, but if you’re too restrictive, people will violate the policy left and right," she says. "That’s not good for your employees and you also would have people in violation of your own policy, which never looks good when you’re accused of a HIPAA violation."
If you already have an e-mail policy, Camin recommends revisiting it because chances are good that the policy has not kept up with recent advances in how e-mail is used. Years ago, providers did not send as many documents, the same type of documents, or image files, she notes.
"Some of it is common sense, too. People have to understand that e-mail can be protected information and treat it that way," she says. "Just because you might go to Starbucks and read your e-mail, not caring if someone looks over your shoulder and sees the note from your mom, that doesn’t mean you can do the same thing with e-mail to a patient. That is protected information, and you still have to treat it that way even when it is in e-mail form."
The good news is that federal officials are not out prowling Starbucks looking for a doctor who is sloppy with protected health information. Camin says HIPAA violations are all complaint driven, so someone has to be upset enough to report the breach.
"It’s usually because you sent the e-mail to the wrong person, especially if it lands in the hands of the patient’s employer," she says. "It usually has to be egregious, but people can get very upset about their employers or their relatives getting information about their health status. That’s why you have to be so very careful."
With more and more health information being transferred electronically, risk managers must be more cautious than ever about complying with the Health Insurance Portability and Accountability Act (HIPAA), says Cheryl Camin, JD, an attorney on the HIPAA practice team at the Dallas law firm of Gardere Wynne.You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content