Health Information Compliance Alert

Published on Wed Oct 06, 2010 PDF

Remember: You have to save PHI in e-mails, too.

Does your staff receive e-mail messages from your patients that contain protected health information? Do your physicians send e-mails about your patients to other providers? If you answered 'Yes' to either of those questions, you have e-PHI on your hands. Here's what you can do with it.

Eliminate unnecessary uses of PHI: Decrease your e-mail retention burden by asking physicians to keep PHI out of their e-mails unless it's necessary for treatment, payment or health operations, says Margret Amatayakul, a consultant with Schaumburg, IL's MargretA Consulting.

You can help your docs take PHI out of their electronic communications by reminding them that if the health information doesn't add to the conversation, then they don't need it. Consider these examples:

Example A: One of your doctors is struggling with a patient's diagnosis. Her colleague just dealt with a similar case, so she e-mails the physician a list of symptoms and asks for advice.

Example B: A patient complains to your doctor that he has been feeling anxious and depressed. Your physician sends an e-mail to an area psychologist asking the specialist to meet with the patient and lists his symptoms.

Example A leaves out PHI; Example B uses PHI only because it is necessary in the context of the referral.

You don't need to hold on to patient's e-mails unless they contain PHI. So, if a patient e-mails to cancel his appointment, trash it. On the other hand, if he's sending you his blood sugar levels each day, you must keep it.

Be judicious with your e-mail address: If you aren't willing or able to spend the time and energy printing and saving patients' e-mailed PHI, then don't advertise your e-mail address.

Or only give it to those patients you want to send you information via e-mail, such as the patient who is monitoring her blood sugar level. Tip: Outline with patients when your physicians will respond to their e-mails. That way, there won't be any pressure on your docs to respond to all messages they receive.

Save messages in paper form: Storing and sorting emails will likely suck up precious time and money.

Better idea: Print out all patient e-mails containing PHI and stick them in the patient's record, suggests Kerry Kearney, a partner with Reed Smith in Philadelphia. If you've set up an electronic health record, you can simply connect e-mails to the patient record, Amatayakul acknowledges. This added bonus will not only save you storage costs, it will also let you quickly sort through the information contained in e-mails, she says.

Best practice: Set your system to automatically delete all e-mails after 60"90 days, Kearney advises. That will eliminate confusion over which document (electronic or print) should be used.

Save your responses: HIPAA doesn't demand that you save the e-mails you send, but you don't want to find yourself on the losing end of a liability suit. By saving all outgoing messages that contain PHI, you'll ensure that you have the information necessary to cover yourself in case any problems crop up.

The Bottom Line: Only save your outbound e-mails if they contain PHI. Otherwise, holding on to them could result in problems because "e-mail is the place where offices are the most vulnerable to stupidity. People will say anything over e-mail," Kearney cautions.