Skip to main content

Emailing with PHI/PII: Navigating the HIPAA Landscape in the Information Technology Age

Written by: Kelly Buckman

Those of us working in the field of Healthcare IT are often intimately familiar with HIPAA regulations and their impact on our day to day operations.  But in the course of working to resolve problems for our customers, how often do we really think about the pitfalls of sharing healthcare related information amongst ourselves and others? Usually, this takes the form of screenshots, samples of reports, data files, etc. I can’t count the number of times I’ve emailed a screenshot of a software-created object to one or more of my co-workers in the course of collaborating on an issue (“Have you seen this before?”), or a customer contact to triumphantly demonstrate that I’ve resolved their data or server-related issue. (“Look, it’s fixed.  You’re welcome!”)

But very often, the data transferred back and forth contains PHI (Protected Health Information) or PI/PII (Personal Information/Personally Identifiable Information) such as name, address telephone number, social security codes, birth dates, other information that constitutes a HIPAA violation if shared without being protected. This is obviously a concern for healthcare providers, and should be for those who support them as well.

The Office of Civil Rights (OCR) of the Department of Health and Human Services states that “The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.”

The standard for transmission security (§ 164.312(e)) also states that “the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”
This tells us that the protection of PHI/PII is not only advisable, it’s mandated. So how can we protect the information we share with others?”
One way we in Healthcare IT risk violating HIPAA regulations is through email. Some basic guidelines to remain HIPAA compliant while effectively communicating with clients:
  • Before hitting ‘send’ on any email, make sure that the message is addressed to the correct recipients. Follow the principle of ‘less is more’, that is, send to the least number of people necessary, only those who need to know or can benefit from the information in the email.
  • If you’re including attachments, make sure that the correct attachments are included, and that they support the message you’re sending.
  • Encrypt the message by using the prefix Secure: in the email subject line. The process will usually be transparent to both the sender and receiver of the message. If the recipient’s email system doesn’t support encryption, the recipient will be redirected to a link to retrieve the message. Remember to use encryption on ANY electronic device you use to transmit sensitive data. Other ways to encrypt email:
  1. use a secure messaging application, such as Cisco Registered Envelope Service (CRES)
  2. Use WinZip to send files encrypted; Send the password to unlock the WinZip file in a separate email.
When dealing with PHI/PII, it is advisable to include a confidentiality notice in your email signature.  The following is the standard wording:

Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

While including a disclaimer at the end of your email message is important, it’s worth noting that the disclaimer does not in and of itself satisfy the requirement to send electronic PHI securely.


Just as important as protecting PHI and PII data while in transit is disposing of it when it is no longer needed.  It’s advisable to contract with a company to completely destroy electronic PHI/PII. You should also delete sensitive data from currently used drives and from Recycle Bins, securely wipe drives you no longer need, and avoid using external storage media (scan drives, CD’s, etc.).
If you use Instant Messaging to communicate with others in your organization, you shouldn’t save Skype for Business/Lync call logs. To disable this option:
  1. In Skype for Business/Lync, in the upper right corner, click the ‘Options’ (gear) icon
  2. From the menu on the left, select ‘Personal’
  3. Uncheck the box next to “Save call logs in my email Conversation History folder”
  4. Click ‘OK’
Lastly, if you must email attachments containing PHI or PII, you should use documentation software that allows you to black out or redact sensitive data. Adobe Acrobat is one application that contains redacting tools. If you choose to do this, be sure to use redacting tools that make it impossible to reverse.
In summary, if you must send PHI or PII electronically, don’t fear; you can avoid HIPAA violations by taking precautions and using a bit of common sense. In the end, your clients, and your employer will thank you.
--
Kelly Buckman is a healthcare IT expert and field expert blogger for Barracuda Consulting.
Kelly has almost a decade of experience as a Technical Support Engineer/ Analyst in the field of Healthcare IT, over 20 years in IT Support, and several years of experience in Project Management. She has a B.A. from Mount Holyoke, Masters degree from UMass Amherst, and lists her skills as the ability to analyze and resolve various types of application, server and network issues, and to communicate complex ideas effectively.
She is also the mother of 3 sons, ages 19, 17, and 11, lives in western Massachusetts, and enjoys solving puzzles, reading, and travelling.
Please leave your questions or comments below. Or, if you would like to employ our healthcare IT compliance services, or would like more information about HIPAA, PHI, IT security or any other related topic please contact us.
Labels:

Comments

  1. BendinginthewindNovember 17, 2017 at 10:02 PM

    Interesting read. Encrytpion by typing "Secure:" in the subject line of an email I had never heard of...does this work only on company internal emails?

    ReplyDelete
  2. Laura BushSeptember 12, 2020 at 12:03 PM

    I would like to thank you for the post which you have shared here.Keep sharing such types of post in future. For best HIPAA Consulting services, then you can prefer ssconsulting, which is best for you.

    ReplyDelete

Post a Comment

Popular posts from this blog

The Future of the No-Collar Workforce In Healthcare

Written By: Kelly Buckman A common theme in many of films, and TV shows, going as far back as “Terminator” (1984), “RoboCop” (1987), or even further (anyone remember the “Jetsons”, which originally aired in 1962 or “2001: A Space Odyssey” from 1968?), the presence of robots and machines that can perform many of the functions once required of humans, has been ample fodder for the creative mind. Certainly a common thread among these films, and shows, coupled with advances of technology in the real world, are feelings of awe, and not a small amount of angst. Robotics has been a key factor in the automation of the manufacturing industry for over half a century. The first industrial robot, the Unimate, was developed in 1954. Initially met with skepticism, over time, the technology evolved, and today, robots perform numerous tasks with greater endurance, speed, and precision than their human counterparts, including welding, painting, assembly, pick and place for printed circuit boards, pac
2 comments
Read more

Shopping in Skopje: Real Estate in Skopje, North Macedonia

Written By: Jacquelyn Annete García Vadnais A city with a 2,000 year old tradition, Skopje, North Macedonia, has been benefiting in recent years from increased political and economic stability, such that there has been a surge in foreign investment. In addition, the region has been a beneficiary of recent business development , economic development, construction, and refurbishment. Skopje continues to become appealing for prospective real estate investors to consider. For real estate investors that are trying to decide whether Skopje is the ideal place to invest in real estate, it is important to review the information below: History of Macedonia Macedonia has a long and diverse history . Historically, Macedonia spanned between Northern Greece and the Balkan Peninsula. Macedonia became an important civilization that served as a connection between the Mediterranean and Balkan civilizations. Macedonia is famous for its incredible artistic and scientific advances. Furthermore, during Mace
2 comments
Read more

Ramping Up Real Estate: Post-Election Projections

Written By: Jacquelyn Annete García Vadnais 2020 has undoubtedly been a challenging and unpredictable year for all sectors of the economy. Given the Covid-19 pandemic, there have been many closures causing certain companies and industries to remain unpredictable. In addition to the Covid-19 pandemic, there is another factor at play in the United States and it is one of the most difficult Presidential elections in generations. Many investors in diverse industries are trying to calculate how the Presidential election’s outcome will have an impact on their portfolios. This is particularly true for real estate investors given the many factors that are impacting the real estate market with no clear end in sight due to the severity of the pandemic. For real estate investors that are trying to make difficult decisions during both the Covid-19 pandemic and the Presidential election, it is wise to consider the factors below: Most Important Areas to Watch Both During and After the Presidential E
43 comments
Read more