Do your e-mails comply with new security regs?
HIPAA regs cover security and confidentiality
With the security standard of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) formally effective as of April 21, 2005, it’s incumbent on quality professionals to be familiar with its requirements concerning electronic communications — in particular, e-mail — which are used so ubiquitously as part of normal business practice.
Even if you do not communicate directly with patients via e-mail, if you have any responsibility for HIPAA compliance, it’s important you ensure hospital staff know what they can and cannot do, experts say.
What’s more, regular activities such as internal departmental communications as well as outside communications for benchmarking or research purposes must be handled carefully.
"It’s absolutely germane to talk about this with your physicians," declares Anne E. Doliner, JD, an attorney with the law firm Stevens & Lee in Lancaster, PA.
"E-mail communications become part of the record if they are about individual care or treatment," she says.
As such, unless they are secure, e-mails about patients cannot include any of several "identifiers" HIPAA says would enable anyone reading them to ascertain the patient’s identity. (Click here for the complete list of identifiers.)
"We’ve created e-mail guidelines throughout the organization, but particularly for clinician-patient communication — and the other way around," notes Karen Grant, RHIA, CHP, corporate director and health information services/privacy officer, in the Wellesley, MA, office of Boston-based Partners Healthcare (the corporate organization for Massachusetts General Hospital, Brigham & Women’s Hospital, and several other health care facilities.)
"We basically gave the clinicians and patients the privacy issues they would be involved with. Patients should know e-mail can be sent to the wrong party, accessed from various locations, and may be sent to other providers," she explains.
"What I recommend is that if a patient is going to e-mail you, they need to know it is not secure, and that they should not send highly sensitive information, such as lab results," Doliner adds. "If you initiate the e-mail, make sure the patient has signed off on a separate form that they understand [e-mail] is not secure."
She also recommends your e-mails include a disclaimer, much like the ones you see on faxes.
"And educate hospital staff as to just what kind of e-mails they can initiate," she adds. "If staff gets an e-mail [from a patient] they need to pick up the phone and tell the patient they either need to talk about the issue on the phone or in person."
Which e-mails are secure?
The new security standards go beyond defining the kinds of information you can and cannot share; they address the fact that whatever information you do share must be secure from being seen by individuals other than the intended recipient(s).
E-mails are sent in two different ways: within closed systems, or to people outside your system via the Internet. "It is probably easier to maintain confidentiality in a closed system," Doliner notes. "You have safeguards such as firewalls and audit trails."
An audit trail, she explains, enables you to determine who has logged on to a certain terminal (by their pass code), who had access to the terminal, and so forth.
"So if there is misuse of information, you can go back and see who was logged on." In addition, you have to educate anyone who uses the system to not share their pass code or tape it up on their computer, "because they will be held accountable if information is leaked," Doliner notes.
The security standards also call for e-mails to be encoded and encrypted, "But I believe HHS [the Department of Health and Human Services] has backed off on that a bit," she says. "It is simply too cumbersome. Still, there do need to be certain safeguards to secure your intranet."
Using the Internet gets a little trickier, Doliner says. "It may be an open line, or it may not be. You would have far fewer concerns from a HIPAA standpoint if there are no individual identifiers involved; it’s a bigger concern if you are using protected health information."
To help guide employees through what sometimes can be a confusing process, Partners Healthcare has set up an internal web site called HIPAA Central. "It includes things that people may want to review before sending out e-mails," Grant notes. "Even if you are sending information to peers, you have to take it on a case-by-case basis."
Security for benchmarking
If you are involved in a benchmarking project or communicating with outside organizations in some other fashion, HIPAA also can come into play, Grant says.
"It may not apply to packets of metrics, but if you share information with benchmarking groups, one needs to apply various aspects of HIPAA," she says.
"If you send statistical information and no identifiable information, there is no implication of HIPAA," Doliner says. "The easiest thing to do is to sanitize the data by taking out patient information, but that can be daunting," she adds.
"Once you look at who you are sharing information with, you need to determine if a business associate agreement [a written agreement about how you will proceed] is needed," Grant says. "We have such an agreement; when it applies to us is when we are outsourcing someone to do work on our behalf."
If you have any doubts, she says, you should see your privacy officer. "If I had a QI person contact me, I’d see exactly what it is you want to do. For example, if they are working on a study with another health care facility, is this truly a QI study? Are they doing this on our behalf because we can’t do it ourselves?"
If the findings are going to be published, she continues, the HIPAA research guidelines apply. "You then have to think about limited data sets," Grant notes. For example, you might just be sharing city, state, and zip code information, but those still are considered identifiers.
"If you are releasing protected health information, make sure the identification supplies the minimum information necessary to do whatever it is you are doing. You can’t just take the whole database and send it," Grant adds.
Need More Information?
For more information, contact:
- Anne E. Doliner, JD, Stevens & Lee, 25 N. Queen St., Suite 602, P.O. Box 1594, Lancaster PA 17608-1594. Phone: (717) 399-6659. Fax: (610) 236-4173. E-mail: [email protected].
- Karen Grant, RHIA, CHP, Corporate Director, Health Information Services/Privacy Officer, Partners Healthcare, Wellesley, MA. Phone: (781) 416-8750. E-mail: [email protected].
You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content