Are you e-mailing your way into treacherous waters?

Develop Internet policies that comply with proposed HIPAA rules

The Internet is changing the face of health care delivery in the United States. It provides a convenient and efficient method of communication among providers, patients, and payers, as well as tremendous opportunities for managing patient care and monitoring long-term progress of the chronically ill. However, experts at two recent health care conferences caution case managers that the Internet’s convenience doesn’t come without risk. The biggest potential pitfall may come when the government’s final patient health information protection regulations are released.

More than 20 sessions at the recent National Managed Health Care Congress (NMHCC) in Atlanta were devoted to health care Internet opportunities. In addition, health care attorneys at both NMHCC and the fifth annual Hospital Case Management Conference — also held recently in Atlanta and co-sponsored by American Health Consultants, publisher of Case Management Advisor — cautioned case managers that the time to develop Internet privacy policies is now, before the draft of the proposed Health Insurance Portability and Accountability Act (HIPAA) becomes final. (A summary of the proposed HIPAA rules is on p. 97. See also, Case Management Advisor, May 2000, pp. 73-81, for a special report on Internet health care issues.)

"The increasing role of computerized and electronic data systems and data transmission is going to be the hottest issue facing health care in the next couple years," says Vicki Myckowiak, JD, a health care attorney with Myckowiak Associates in Detroit who spoke at the Hospital Case Management Conference. "Under HIPAA, the government issued a law that regulates electronic health information, and it’s going to be a law you need to be very aware of in the next couple of years. Medical data collected and used to treat patients, and a case manager’s work, [which] revolves around that collection and coordination of medical data, is protected under HIPAA, which carries both monetary and criminal penalties for violations of protected information."

Case managers also should be concerned about protecting patient privacy on the Internet because patient anxiety about privacy issues is a potential barrier to care, adds Jan Lori Goldman, JD, director of the Health Privacy Project at the Institute for Health Care Research Policy at Georgetown University in Washington, DC.

"Studies indicate that anxiety about privacy causes one in six people to withhold information from their doctors, provide inaccurate information to their doctors, or practice doctor-hopping," she notes. "It’s the equivalent of an individual keeping money under their mattress because they don’t trust the banks to keep it safe."

Risky business

There is a risk when patients practice those types of information sharing, adds Goldman, who spoke on Internet privacy at the recent NMHCC conference. The information may lack integrity, which could place patients at risk.

"If information is inaccurate or incomplete upfront, then as it moves through the health care delivery system, it makes it difficult to plan appropriate interventions or disease management programs. You don’t know what’s missing [or] what’s wrong with the data you’re using," she says.

The on-line world amplifies privacy concerns, note experts. "HIPAA requires that when you handle patient information, you must have formal mechanisms for authorizing its use and disclosure and also be able to demonstrate how you protect the information," explains Ann Geyer, a health care information consultant with Tunitas Group Healthcare Consulting Practice in Moraga, CA. "You are required to ensure authenticity, but if the patient information enters your organization for the first time via e-mail, you must rethink the ways in which you process patient information. The new state and proposed federal statutes don’t offer a pass for e-mail. Every e-mail message in your organization can be a potential event that discloses patient information in violation of those privacy statutes."

Tunitas recently surveyed its clients and found that the average health care organization handles 50,000 e-mail messages each day, with 20% of those messages going to external users and 80% remaining within the corporate boundaries. "For a large health plan, that number rises to about 75,000 messages a day. About 30% of those messages are thought to contain patient information, and those communications carry a high degree of disclosure risk," Geyer says.

She cites two examples of potential Internet disclosure risks recently brought to her attention. The first involved a provider organization heavily oriented to behavioral and mental health services. The e-mail messages managed by this organization contained highly sensitive information about patient mental health issues, says Geyer. The organization had two e-mail distribution lists. The first list was a directory for the organization’s tightly controlled review board. The second list was of the organization’s record review staff. "On more than one occasion, personal patient information was sent to the wrong distribution list. Once you make an error of this nature via e-mail, you can’t get it back," she cautions.

The second example also involved an e-mail directory problem. "The organization had confidential enrollment and third-quarter reimbursement data they sent to an outsider," she says. "The person had the same name and abbreviated organizational name as someone on the organization’s financial staff. This is what makes the Internet so troublesome. E-mail directories don’t always uniquely identify users. You can’t differentiate between internal and external users, which makes access control a real concern. Normal network security principles are hard to apply to e-mail."

Although the final draft of the HIPAA regulations has not been issued, Myckowiak recommends that organizations take the following measures now to assure compliance:

• Monitor the progress of the final regulations.

• Understand your state privacy laws and those of every state in which you do business.

• Obtain a valid release signed by the patient specific to the particular type of disclosure for any information you disclose to other parties.

In addition, due to the high degree of disclosure risk involved with the use of e-mail, Geyer recommends that organizations develop e-mail policies protecting the privacy of patient information shared via Internet. "Without a written e-mail policy, your organization is running a huge risk of violating privacy statutes," she says. "As you sit down with your development team to think through e-mail policy, start with the recognition that e-mail protocols are not, by their very nature, secure. Most organizations are not very security conscious about e-mail issues. Developing an e-mail privacy policy and providing guidelines and expectations to all e-mail users in your organization about what they can and cannot put in an e-mail message is important for establishing privacy benchmarks."

Here is Geyer’s four-stage plan for developing an e-mail policy:

1. Treat e-mail as a business asset used only for business purposes in a businesslike manner.

2. Recognize that e-mail is insecure and that no confidential information should be included in e-mail messages.

3. Send confidential information via e-mail only when provided its confidentiality is protected by encryption.

4. Recognize that health care business information is essentially protected information and that all disclosures should be authorized and recorded.

Your policy should clearly state who are the authorized senders and receivers of protected information via e-mail, she adds. "You must also have a way to uniquely identify the senders and receivers. The problem is that current Internet mail protocols relay e-mail messages, and the senders and receivers have no control over how the messages are relayed. There is no way to check where a message came from or whether it was copied or altered en route from the sender to the receiver."

Even though the Internet mail protocols give you little to work with, it’s still important to develop and apply a privacy policy to those areas that are within your control, says Geyer. Those areas include:

• Who in the organization is authorized to receive patient information via e-mail?

• What kind of patient information should never be sent via e-mail?

• What kind of information is readily adaptable to e-mail transmission?

• Where should a copy of e-mail messages containing protected patient information be sent for review?

"You should start with an exception policy — information that should never be sent via e-mail. You must also think symmetrically. In other words, review both how patient information leaves your organization via e-mail and how it enters your organization via e-mail."

Proceeding with caution

Questions she suggests you ask before sending patient information via the Internet include:

• Is the sender authorized to disclose the protected patient information?

• Is the receiver authorized to accept the protected patient information?

• What are the encryption procedures applied to the message?

• Was the information accurately received?

• Is a response to the message required?

• Is there a record of the disclosure?

Questions you should ask regarding patient information received via the Internet include:

• Is the receiver authorized to accept the patient information?

• Can the integrity of the information be verified?

• Is the sender a reliable source of the patient information?

• Who else will need to have access to the information?

• Is a response required?

Health care organizations also should be aware that employees will be tempted to violate even the best written and well-publicized e-mail privacy policies, cautions Geyer.

"There’s that ends-justifies-the-means mentality. Employees will weigh the risk of not submitting a report on deadline against the risk of potentially sending the report to the wrong individual. They have that it-won’t-happen-to-me’ attitude. When it comes to a business risk assessment between getting the report in on time and a potential violation of privacy, getting the report in will win out. Violating the policy is seen as worth the risk," she says.

Even health care organizations with established privacy policies should review them carefully to see if they meet the proposed HIPAA regulations, especially organizations that offer on-line health care services, notes Goldman. Here are key elements she suggests you look for in your current privacy policies:

• Does your policy adhere to basic principles of fair information practice as defined by HIPAA and applicable state statutes?

• Does your privacy practice adhere to your own privacy policy?

• Does your privacy policy provide users with anonymity?

"Providing anonymity is critical to closing the loop in that chain of trust between patients and payers and providers," she says. "Individuals shouldn’t be forced to give up their privacy to use on-line services offered by your organization."

Caring for patient X

David Levy, MD, chairman and chief executive officer of Franklin Health in Upper Saddle River, NJ, says patient anonymity is critical, and it’s not necessary to know whom you’re helping in order to provide on-line disease management support. "As a company that offers Internet-based and Internet-enabled products for the health care industry, we have created a technology structure that reflects our commitment to protecting the individual privacy of our customers’ beneficiaries."

By virtue of their business, health plans have access to incredible amounts of data that enable patients to share control of their own care through the Web, notes Levy. "It’s the biggest opportunity in health care today, and the barriers to tapping into this opportunity are mostly related to privacy."

Franklin Health’s Web site,, provides consumers with instant medical information customized to their health problems or needs. More important, says Levy, consumers can access that information with complete anonymity.

"The best way to ensure privacy is for the service provider to never know who the user is. No one should ever insist on knowing who you are in order to help you," he explains.

Dividing the data

Franklin Health takes the patient information it receives from the large employer groups and health plans that are its customers and splits it into two strings. The first string contains personal information such as the patient’s name, Social Security number, address, and health plan identification information. The second string is everything known about the patient other than identification information. Both strings are given an anonymous identifier and then placed into two separate databases. The only thing the two strings have in common are the anonymous identifier, and the only individual to receive that number is the patient.

"The patient receives the anonymous identifier through the United States Postal Service. The identifier authenticates the user and allows them access to the site," says Levy. "We’ve had health plans argue that they need information so that they can help their members. Maybe they have a diabetes management program and they want to know which members access information about diabetes on the Web site.

"We tell them no. Instead, we agree that we will inform the members about any disease management programs their health plan has that are appropriate for them and give the patient the right to choose to participate or not," he says.

Providing patients with complete anonymity seems counterintuitive to most health plans and providers, notes Levy, adding that as uncomfortable as it may seem, it’s the only way to reduce patient anxiety about on-line health care services and gain their trust.

"We’ve had some very serious conversations about these issues with large health plans around the country," he says. "We’ve held firm to the policy that we’ve raised ourselves to reach a very high threshold. We must meet that threshold or fall short of our mission."