Don’t e-mail your way into treacherous waters
Don’t e-mail your way into treacherous waters
Develop policies that comply with HIPAA rules
The Internet provides a convenient and efficient method of communication among providers, patients, and payers, as well as tremendous opportunities for managing patient care and monitoring long-term progress of the chronically ill. However, experts caution case managers that the Internet’s convenience doesn’t come without risk. The biggest potential pitfall may come when the government’s final patient health information protection regulations, the Health Insurance Portability and Accountability Act (HIPAA), are released.
"The increasing role of computerized and electronic data systems and data transmission is going to be the hottest issue facing health care in the next couple years," says Vicki Myckowiak, JD, a health care attorney with Myckowiak Associates in Detroit. "Under HIPAA, the government issued a law that regulates electronic health information, and it’s going to be a law you need to be very aware of in the next couple of years. Medical data collected and used to treat patients and a case manager’s work, [which] revolves around that collection and coordination of medical data, are protected under HIPAA, which carries both monetary and criminal penalties for violations of protected information."
Case managers also should be concerned about protecting patient privacy on the Internet because patient anxiety about privacy issues is a potential barrier to care, adds Jan Lori Goldman, JD, director of the Health Privacy Project at the Institute for Health Care Research Policy at Georgetown University in Washington, DC.
"Studies indicate that anxiety about privacy causes one in six people to withhold information from their doctors, provide inaccurate information to their doctors, or practice doctor hopping," she notes. "It’s the equivalent of an individual keeping money under a mattress because he doesn’t trust the banks to keep it safe."
The on-line world amplifies privacy concerns, say experts. "HIPAA requires that when you handle patient information, you must have formal mechanisms for authorizing its use and disclosure and also be able to demonstrate how you protect the information," explains Ann Geyer, a health care information consultant with Tunitas Group Healthcare Consulting Practice in Moraga, CA. "You are required to ensure authenticity, but if the patient information enters your organization for the first time via e-mail, you must rethink the ways in which you process patient information. The new state and proposed federal statutes don’t offer a pass for e-mail. Every e-mail message in your organization can be a potential event that discloses patient information in violation of those privacy statutes."
Tunitas recently surveyed its clients and found that the average health care organization handles 50,000 e-mail messages each day, with 20% of those messages going to external users and 80% remaining within the corporate boundaries. "For a large health plan, that number rises to about 75,000 messages a day. About 30% of those messages are thought to contain patient information, and those communications carry a high degree of disclosure risk," Geyer says.
Although the final draft of the HIPAA privacy regulations has not been issued, Myckowiak recommends that organizations take the following measures now to assure compliance:
• Monitor the progress of the final regulations.
• Understand your state privacy laws and those of every state in which you do business.
• Obtain a valid release signed by the patient specific to the particular type of disclosure for any information you disclose to other parties.
In addition, due to the high degree of disclosure risk involved with the use of e-mail, Geyer recommends that organizations develop e-mail policies protecting the privacy of patient information shared via Internet. "As you sit down with your development team to think through e-mail policy, start with the recognition that e-mail protocols are not, by their very nature, secure. Most organizations are not very security conscious about e-mail issues. Developing an e-mail privacy policy and providing guidelines and expectations to all e-mail users in your organization about what they can and cannot put in an e-mail message is important
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.