Health Information Compliance Alert

Published on Sun Aug 22, 2010 PDF

Remember: You have to save PHI in emails, too.

Does your staff receive email messages from your patients that contain protected health information? Do your physicians send emails about your patients to other providers? If you answered 'Yes' to either of those questions, you have e-PHI on your hands. Here's what you can do with it.

Eliminate unnecessary uses of PHI: Decrease your email retention burden by asking physicians to keep PHI out of their emails unless it's necessary for treatment, payment or health operations, says Margret Amatayakul, a consultant with Schaumburg, IL's Margret A Consulting.

You can help your docs take PHI out of their electronic communications by reminding them that if the health information doesn't add to the conversation, then they don't need it. Consider these examples:

Example A: One of your doctors is struggling with a patient's diagnosis. Her colleague just dealt with a similar case, so she emails the physician a list of symptoms and asks for advice.

Example B: A patient complains to your doctor that he has been feeling anxious and depressed. Your physician sends an email to an area psychologist asking the specialist to meet with the patient and lists his symptoms.

Example A leaves out PHI; Example B uses PHI only because it is necessary in the context of the referral.

Distinguish between PHI and patient communication: You don't need to hold on to patient's emails unless they contain PHI. So, if a patient emails to cancel his appointment, trash it. On the other hand, if he's sending you his blood sugar levels each day, you must keep it.

Be judicious with your email address: If you aren't willing or able to spend the time and energy printing and saving patients' emailed PHI, then don't advertise your email address. Or only give it to those patients you want to send you information via email, such as the patient who is monitoring her blood sugar level. Tip: Outline with patients when your physicians will respond to their emails. That way, there won't be any pressure on your docs to respond to all messages they receive.

Save messages in paper form: Storing and sorting emails will likely suck up precious time and money. Better idea: Print out all patient emails containing PHI and stick them in the patient's record, suggests Kerry Kearney, a partner with Reed Smith in Philadelphia.

If you've set up an electronic health record, you can simply connect emails to the patient record, Amatayakul acknowledges. This added bonus will not only save you storage costs, it will also let you quickly sort through the information contained in emails, she says.

Best practice: Set your system to automatically delete all emails after 60"90 days, Kearney advises. That will eliminate confusion over which document (electronic or print) should be used.

Save your responses: HIPAA doesn't demand that you save the emails you send, but you don't want to find yourself on the losing end of a liability suit. By saving all outgoing messages that contain PHI, you'll ensure that you have the information necessary to cover yourself in case any problems crop up.

The Bottom Line: Only save your outbound emails if they contain PHI. Otherwise, holding on to them could result in problems because "email is the place where offices are the most vulnerable to stupidity. People will say anything over email," Kearney cautions.