{Time to read: 3 minutes}
Physicians and healthcare professionals must be careful when sending a patient’s Private Health Information (PHI) via email.
When providing care to patients, oftentimes, there is a lot of information going back and forth with insurance carriers or directly with the patient. This information may include:
- Medical records
- Social Security numbers
- Full names
- Medical diagnoses
- Health history matters
Physicians and healthcare professionals should keep the following checklist in mind when emailing patients:
- Is it necessary to send the information, or is it extraneous? For instance, if you need to say the person’s full name, can you instead just use initials?
- Is there another way to describe the person without using his or her name?
- Must a medical diagnosis be included?
- If attaching a medical record or health history of a patient, is it encrypted?
Obviously the goal is not to have any of this information accessed by someone who is not covered and who is not a business associate, and to keep the information confidential as much as possible. If there is a risk that the information won’t be kept confidential, or that there may be a breach, take a step back and look at the measures used in sending the information.
In addition, there are ways to mitigate risk when sending and receiving sensitive patient information. Consider the following safeguards:
- Put the patient information onto a CD or flash drive, and personally deliver it to the doctor, hospital or the one receiving said information.
- Invest in a Virtual Private Network (VPN), as opposed to using a public Wi-Fi. Be mindful of the network security that the receiver is using to open a patient PDF.
- Shred any hardcopies of emails. If you have printed a PDF that contains the patient’s health information, never dispose of it in a public garbage receptacle. If you use a third-party shredding service, have them sign a Privacy Agreement.
- Advise employees to delete patient information from irrelevant email threads. Prevent sensitive data from floating back and forth in email replies and forwards.
- Protect the email receivers’ information as well. When sending to multiple recipients, BCC where appropriate.
- Use your work email account only. Personal email accounts are generally not HIPAA (Health Insurance Portability and Accountability Act)-protected (i.e Yahoo, AOL, Hotmail, etc).
To ensure that your practice adheres to HIPAA regulations, practice caution when emailing PHI, because you never know who’s going to get access to it. If you have any questions or concerns, please consult with an attorney.
Stephanie J. Rodin, Esq.
Rodin Legal, P.C.
Email: info@rodinlegal.com
Tel: (917) 345-8972
Fax: (917) 591-4428
Recent Comments