Preparing for HCFA’s security standards
Preparing for HCFA’s security standards
Evaluating the need for an in-house e-mail policy
Electronic data security standards were mandated under the Health Insurance Portability and Accountability Act of 1996. Congress was given until August 1999 to enact privacy protections, but if Congress does not act by then, the secretary of Health and Human Services (HHS) is authorized to implement privacy protections.
An HHS spokesman interviewed by Home Infusion Therapy Management states the standards will likely take effect sometime this year. Although the standards were developed with medical records in mind, he added that e-mail would be included under certain conditions.
"If the e-mail contained patient or confidential information it would not necessarily have to be encrypted, but safeguards would be required to make sure others could not access the information," he says.
While the acceptance of e-mail has spread, the understanding of its potential hazards and pitfalls in the work environment has not. E-mail is not an informal means of conversing, especially for professionals in the workplace.
If your organization allows employees to use e-mail at work but does not have a formal e-mail policy, you could be making a grave mistake.
"It is difficult getting people to understand that e-mail isn’t a substitution for a telephone call or a conversation in the hall," says Wendy Sapp, CRM, chairman and acting task force leader of the Prairie Village, KS-based Association of Records Managers and Administrators (ARMA) standards advisory and development committee, as well as the records manager for Hercules Incorporated, a chemical manufacturer in Wilmington, DE.
"These communications are a record of an organization and therefore are subject to all the legal ramifications that a corporation’s records are. They are subpoenable."
The biggest difference is privacy, according to Sapp.
"People consider telephone conversations and talks in the hall as private between Person A and Person B; but as soon as something is submitted in writing [through] an e-mail system, you cannot consider it as private," she says.
"People are too relaxed about e-mail, and the main thing they need to remember and that any e-mail policy needs to reflect is that e-mail is not confidential in any sense of the word," says Elizabeth Hogue, JD, a health care attorney based in Burtonsville, MD.
"There have been instances where hackers broke into systems and retrieved or sent e-mail, and even Bill Gates is defending his e-mails to various people."
While phone conversations and water-cooler talk are, for the most part, temporary and not recorded, e-mails have a shelf-life that may surprise you.
"Even if you delete a message out of the system, it could sit on a back-up tape on a shelf indefinitely unless the tape is erased," says Sapp.
How to make a policy
The first criteria of creating a corporate e-mail policy is simple:
• Confidentiality.
"We recommend that any corporate e-mail policy should state that under no circumstances is confidential information to be placed in e-mail," advises Sapp.
"Do not do it. Don’t risk somebody’s salary or medical information floating around."
She notes that because e-mail is a company record, the information in that record should be handled in a similar fashion to how you handle paper documents.
In that respect, your e-mail policy does not have to be a separate document in and of itself.
"An e-mail policy should be part of a broader record retention program, not just as a stand-alone policy but in the context of a records retention policy," notes Sapp.
Hogue agrees that the policy has to be entirely different from your current record retention and standard corporate policies.
"I would apply the same confidentiality policies to e-mail that I would recommend to communications in general, and that is a need-to-know basis," says Hogue. She adds that having e-mail opens your computer system to prying outside eyes.
"One of my concerns is that in order to have e-mail you almost need to open your computer system to the world," she says.
"There’s a channel by which anyone in the world could get into my computer, and as an attorney I have many concerns regarding confidentiality.
"I know that a lot of attorneys use e-mail, but I’m not sure we know what e-mail does to attorney-client privilege. That’s why I discourage communications with legal counsel via e-mail."
• Retention.
Because your e-mails are considered company records, retention also becomes an issue. Storing the information may not be a challenge, but maintaining a useable format can prove difficult.
"If you have a retention period longer than 10 years and your e-mail system changes, at some point you must go back to any stored items and look at the medium it is stored on and migrate it to the next generation," says Sapp.
She adds that many organizations require two copies of documents stored in different locations, in case of a fire or similar disaster.
This can be as simple as copying files and keeping one set of tapes in a separate location.
• Etiquette.
You never know who is going to see the e-mail you send or receive. That’s why Hogue recommends including e-mail etiquette in your policy.
"I’ve read stories about people intercepting e-mails, so I would include in the policy a prohibition of any talk that is derogatory toward anyone in the office or any patient," she says.
• Security.
Home care professionals wouldn’t dream of leaving patient files readily available for anyone walking through the office.
Hogue recommends using the same consideration in protecting your e-mails and computer files in general.
"I think computers should be locked," she says.
"Medicare surveyors have always said that files with patient information in them should be locked and should not be lying around. The same is true for computers and someone should monitor that. When you’re away from the office for meetings or lunch or at night, that computer should be locked."
ARMA, which ANSI has determined is a standard certifying body for the United States, created the e-mail task force in 1995.
It took more than three years for the committee to get a full document that could be submitted for public review and comment. Sapp expects the final document to be available in the third quarter of 1999.
[For more information, call ARMA at (800) 422-2762 or visit its Web site at www.arma.org/hq.]
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.