Thanks to HIPAA, one wrong click can cost you $50,000. You’ll never be able to think of your e-mail and fax machine the same way again. Because technology makes it so easy to copy, forward, share and steal information, providers and payers need strict policies for handling electronic health information, warns Gwen Hughes of the American Health Information Management Association.
It sounds too bad to be true, but over the last couple years Hughes has been contacted personally by three newspapers that had patient records accidentally faxed to them. Mistyping a number was the only thing the health care providers had done wrong, but now they had legal — and public relations — disasters on their hands.
Since the HIPAA rule was written to be “technology-neutral,” it doesn’t give explicit advice for sending e-mails or placing faxes. It is vague enough so that it can be applied to any form of communication, Hughes says.
Section 164.530 of the reg says covered entities must have “appropriate administrative, technical and physical safeguards to protect the privacy of protected health information” and “must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards.”
This means creating policies on what — and how — to fax and e-mail, and making sure that your entire staff is properly trained. Now is the time to break any bad habits employees may have developed. After all, one wrong e-mail can cost you big.
Ongoing Education Is Key
When orienting new staff, Hughes notes, health care providers tend to overwhelm them with information. Then, once they’ve settled in, the education stops. Don’t let this happen with regard to privacy issues, she cautions. Training people to be sensitive to PHI and to do things like double-check fax numbers is something you should do on day one and then periodically, forever.
There needs to be a “constant process of bringing things to the awareness level for people, so that they change their behaviors and that steps that are important become natural for them,” Hughes explains.
E-mailing presents a few more HIPAA dangers than faxing. First of all, it’s a newer technology and some people are still learning the difference between “reply” and “reply to all.” Second, in the time it takes to send one fax, you can accidentally e-mail one person’s PHI to hundreds of people.
If you’re going to start a policy of e-mailing patients, give its implementation a lot of thought ahead of time, Hughes advises. E-mailing presents many dangers: anything in an e-mail can easily be redirected to the wrong people, and can just as easily be copied en masse.
“[A] big issue with e-mail use is coming to a common understanding … as to what kinds of communications are appropriate through email and what the response times are,” says attorney Robyn Meinhardt with Foley & Lardner in Denver. For this reason, it’s a mistake to e-mail a patient time-sensitive information — for all you know, they might not check their e-mail for a week.
Hughes points out that wrongful disclosure of PHI can bring fines of up to $50,000 and a year in jail. Because of the severity of the penalties, and because it’s so easy to hit the wrong button when e-mailing, she recommends that you think long and hard about which employees should be given the authority to e-mail PHI. The more people who can do it, the better the odds that something could go wrong.
Indeed, many providers have been reluctant to adopt e-mail as a means of communication with patients because they see it as another encroachment on their already limited time. Further, they aren’t reimbursed for time spent sending emails, notes attorney Paula Ohliger with Foley & Lardner’s San Francisco office.
Clean Up After Your Mistakes
Hughes tells Eli that the rule says that if you become aware that you’ve violated someone’s privacy — for example, by faxing or e-mailing his or her records to the wrong place — “you have to mitigate the harmful effects of that.” Be sure to contact the accidental recipient and ask him to shred the fax or delete the e-mail.
Keep track of such events in an incident log that shows the steps you took to mitigate the event’s consequences, Hughes advises. If you discover a pattern of problems, figure out why this is so and “use that to improve your educational program,” Hughes recommends.
“People can sue us for anything they want,” Hughes says, so they can certainly sue if they feel that their privacy has been jeopardized. They may not win the suit, but it will cost you a lot of money and an immeasurable amount of bad PR.
PDF