[ Tuesday, February 15, 2005 ]
More email stuff:
Obviously, ePHI and email are a troubling combination. So, since you can't eliminate either one, and they do go well together, do what you can to minimize the risk of improper use or disclosure.
<<As an aside, let me note a comment I often make in speeches I give on HIPAA: You can obtain the greatest security for PHI by preventing its use or disclosure by or to anyone, anywhere. That's right, the greatest security you can have for PHI is to ensure that there is no exchange of PHI. On the other hand, you can obtain the greatest level of patient care by the absolutely free and unfettered exchange of PHI. Take the case of a physician confronting a patient with a rare or puzzling condition. There's probably a handful of other doctors elsewhere in the world who have seen the exact same thing, and some who probably have a good idea how to treat it. Perhaps a family member of the patient addressed the same issue and some treatment worked particularly well for them. So, perfect healthcare and perfect privacy are combatant. Keep that in mind when you're trying to implement HIPAA: don't let the perfect (privacy) be the enemy of the good (patient care).>>
De-identify: remember that PHI requries that the individual can be identified from the information. If patient names are never used, the email transmission may contain medical information, but it won't be PHI. This isn't always possible, especially when the communication is with the patient, but it is possible if the patient uses an unidentifiable email address and no names are used. If you can send the email and get the result without naming names, then don't.
Clear out your email boxes: If you don't need to keep an email for medical record or business purposes, delete it. If you want to keep it, print it and delete it. And remember that "deleted" doesn't mean "deleted": it just means that the space on the medium (hard drive, disk, etc.) is free for over-writing with other information. Until something else overwrites that spot on the medium, the information is still there. Considering that, look into your email system for applications that will "scrub" your hard drive to actually delete what you thought you deleted.
Of course, if you have EMRs, you might have the ability to shift emails into the patient's electronic files. If so, do it, but make sure it doesn't stay in shadow form on your email hard drive.
Also, set up your email system to delete emails after a set period of time, such as 90 days. And make sure your staff is trained in (i) the risks of using email, (ii) the possibility of encryption and how to do it, (iii) the need to discuss with the patients your email policies, and (iv) how to appropriately do email in a manner that will minimize risks.
Finally, remember that your inbox isn't your only email repository; there are also things in the trash file as well as in the sent file. And remember (and remind your staff) that there's a difference between "reply" and "reply all", and there's a difference between "reply" and "reply with text". Minimize who you send to as well as what you send.
Jeff [12:22 PM]
Blogger: HIPAA Blog - Edit your Template