Pediatric Coding Alert

Are You HIPAA-Compliant?

Published on Thu Oct 23, 2003

12 ways to minimize fax and e-mail risks If you want to stay out of the courthouse and the newspapers, follow these personal health information faxing and e-mailing tips from Gwen Hughes with Care Communications in Chicago. For faxing:
Make sure you're sending your faxes to the right place. Double-check every fax number before hitting "Send." If you preprogram any numbers, make sure you double-check these as well before saving them.

Put your fax machine in a secure place. Don't leave it sitting on a counter in the waiting room, visible to patients and others who should not have access.

Put a confidentiality coversheet on every fax. The box below provides one example. Periodically remind providers and business partners that they need to tell you ASAP if their fax numbers change.

Remember that you - not the patient - need to be vigilant about protecting PHI. "Sometimes [patients] want you to fax a copy of their health information to them," Hughes says, but they might not realize the potential for disaster. The provider is responsible for taking the extra step and explaining to the patient exactly what this entails.

Ask the patient where he is: Is he at home, at work, or at a Kinko's downtown? If he is anywhere but at home, remind him that what he's asking you to fax is his personal medical information, and point out that he might not want to do this if he isn't going to be hovering over the fax machine waiting for the information to come through. For e-mailing:
Make sure you have encryption software.

Put a confidentiality disclaimer in your e-mail template. (See the disclaimer at the end of this article for an example.)

Explain the risks to patients. Again, the onus is on you and your office - not the patient - to make sure that misdirected, intercepted, or inappropriate e-mails don't jeopardize patient privacy. Don't assume that patients know how e-mail works, and don't let them assume you can respond to their e-mails faster than you can.

Determine who on your staff should be allowed to e-mail PHI. Make sure they're well trained, Hughes says, and that no one else can e-mail PHI.

Print out all e-mails and save the hard copies as part of the patient's medical record. Keep a list of patients who e-mail so you can notify them if your system is temporarily taken down. This will prevent situations in which they send you important e-mails at a time when you can't access them.

Don't forward patient-identifiable information to a third party unless you have the patient's authoriz-ation to do so.

Don't e-mail extra-sensitive PHI. Some kinds of communications should not be conducted by [...]

You’ve reached your limit of free articles. Already a subscriber? Log in.

Not a subscriber? Subscribe today to continue reading this article. Plus, you’ll get:

Simple explanations of current healthcare regulations and payer programs
Real-world reporting scenarios solved by our expert coders
Industry news, such as MAC and RAC activities, the OIG Work Plan, and CERT reports
Instant access to every article ever published in your eNewsletter
6 annual AAPC-approved CEUs*
The latest updates for CPT®, ICD-10-CM, HCPCS Level II, NCCI edits, modifiers, compliance, technology, practice management, and more

*CEUs available with select eNewsletters.