Written by: Kelly Buckman
Those of us working in the field of Healthcare IT are often intimately familiar with HIPAA regulations and their impact on our day to day operations. But in the course of working to resolve problems for our customers, how often do we really think about the pitfalls of sharing healthcare related information amongst ourselves and others? Usually, this takes the form of screenshots, samples of reports, data files, etc. I can’t count the number of times I’ve emailed a screenshot of a software-created object to one or more of my co-workers in the course of collaborating on an issue (“Have you seen this before?”), or a customer contact to triumphantly demonstrate that I’ve resolved their data or server-related issue. (“Look, it’s fixed. You’re welcome!”)
But very often, the data transferred back and forth contains PHI (Protected Health Information) or PI/PII (Personal Information/Personally Identifiable Information) such as name, address telephone number, social security codes, birth dates, other information that constitutes a HIPAA violation if shared without being protected. This is obviously a concern for healthcare providers, and should be for those who support them as well.
The Office of Civil Rights (OCR) of the Department of Health and Human Services states that “The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.”
The standard for transmission security (§ 164.312(e)) also states that “the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”
This tells us that the protection of PHI/PII is not only advisable, it’s mandated. So how can we protect the information we share with others?”
One way we in Healthcare IT risk violating HIPAA regulations is through email. Some basic guidelines to remain HIPAA compliant while effectively communicating with clients:
- Before hitting ‘send’ on any email, make sure that the message is addressed to the correct recipients. Follow the principle of ‘less is more’, that is, send to the least number of people necessary, only those who need to know or can benefit from the information in the email.
- If you’re including attachments, make sure that the correct attachments are included, and that they support the message you’re sending.
- Encrypt the message by using the prefix Secure: in the email subject line. The process will usually be transparent to both the sender and receiver of the message. If the recipient’s email system doesn’t support encryption, the recipient will be redirected to a link to retrieve the message. Remember to use encryption on ANY electronic device you use to transmit sensitive data. Other ways to encrypt email:
- use a secure messaging application, such as Cisco Registered Envelope Service (CRES)
- Use WinZip to send files encrypted; Send the password to unlock the WinZip file in a separate email.
When dealing with PHI/PII, it is advisable to include a confidentiality notice in your email signature. The following is the standard wording:
Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
While including a disclaimer at the end of your email message is important, it’s worth noting that the disclaimer does not in and of itself satisfy the requirement to send electronic PHI securely.
Just as important as protecting PHI and PII data while in transit is disposing of it when it is no longer needed. It’s advisable to contract with a company to completely destroy electronic PHI/PII. You should also delete sensitive data from currently used drives and from Recycle Bins, securely wipe drives you no longer need, and avoid using external storage media (scan drives, CD’s, etc.).
If you use Instant Messaging to communicate with others in your organization, you shouldn’t save Skype for Business/Lync call logs. To disable this option:
- In Skype for Business/Lync, in the upper right corner, click the ‘Options’ (gear) icon
- From the menu on the left, select ‘Personal’
- Uncheck the box next to “Save call logs in my email Conversation History folder”
- Click ‘OK’
Lastly, if you must email attachments containing PHI or PII, you should use documentation software that allows you to black out or redact sensitive data. Adobe Acrobat is one application that contains redacting tools. If you choose to do this, be sure to use redacting tools that make it impossible to reverse.
In summary, if you must send PHI or PII electronically, don’t fear; you can avoid HIPAA violations by taking precautions and using a bit of common sense. In the end, your clients, and your employer will thank you.
Kelly Buckman is a healthcare IT expert and field expert blogger for Barracuda Consulting.
Kelly has almost a decade of experience as a Technical Support Engineer/ Analyst in the field of Healthcare IT, over 20 years in IT Support, and several years of experience in Project Management. She has a B.A. from Mount Holyoke, Masters degree from UMass Amherst, and lists her skills as the ability to analyze and resolve various types of application, server and network issues, and to communicate complex ideas effectively.
She is also the mother of 3 sons, ages 19, 17, and 11, lives in western Massachusetts, and enjoys solving puzzles, reading, and travelling.
Please leave your questions or comments below. Or, if you would like to employ our healthcare IT compliance services, or would like more information about HIPAA, PHI, IT security or any other related topic please contact us.