Health Information Compliance Alert

Published on Thu Jan 03, 2013 PDF

If you want your organization to stay out of  the courthouse and the newspapers, follow these  personal health information faxing and e-mailing  tips from Gwen Hughes of the American Health  Information Management Association.

For faxing:

• Make sure you’re sending your faxes to the right place. Have your employees doublecheck every fax number before hitting “Send.” If you pre-program any numbers, make sure you double-check these as well before saving them.

• Put your fax machine in a secure place. Don’t leave it sitting on a counter in the waiting room, where the eyes of bored patients can wander.
• Put a confidentiality cover sheet one very fax. The box below provides one example. Periodically remind providers and business partners that they need to tell you ASAP if their fax numbers change.
• Remember that you — not the patient — needs to be vigilant about protecting PHI. “Sometimes [patients] want you to fax a copy of their health information to them,” Hughes notes, but they might not realize the potential for disaster. It is the providers’ burden to go the extra step and explain to the patient exactly what this entails. Ask the patient where he is: Is he at home, at work or at a Kinko’s   downtown? If he is anywhere but at home, remind him that what he’s asking you to fax has personal information in it, and point out he might not want to do this if he isn’t going to be hovering over the fax machine waiting for the info to come through.

For e-mailing:

• Make sure you are using encryptionsoftware.
• Put a confidentiality disclaimer in your e-mail template. See box, below, for sample language.
• Explain the risks to patients. Again, the onus is on the covered entity — not the patient — to make sure that misdirected, intercepted or inappropriate e-mails don’t jeopardize patient privacy. Don’t assume patients know how e-mail works, and don’t let them assume you can respond to their e-mails faster than you can.
• Determine who on your staff should be able to e-mail PHI. Make sure that they’re well trained, Hughes warns, and that no one else can e-mail PHI.
• Print out all e-mails and save the hard copies as part of the patient’s medical record. Keep a list of patients who e-mail so that you can notify them if your system is temporarily taken down. This will prevent situations where they send you important emails at a time when you can’t access them.
• Don’t forward patient-identifiable information to a third party unless you have the patient’s authorization to do so.
• Don’t e-mail extra-sensitive PHI. There are some kinds of communications that should not be conducted via e-mail. Attorney Robyn Meinhardt with Foley & Lardner in Denver points to results of HIV tests as an egregious example. Providers and payers should determine which types of information will not be sent through e-mail, and should make sure patients are clear on that policy.