Are you breaking patient privacy regs with e-mails?
Are you breaking patient privacy regs with e-mails?
Make sure information privacy is maintained
Have you ever included a patient’s personal information in statistical studies on specific diagnoses for JCAHO core measures and shared this with staff via e-mail? Do you ever e-mail colleagues about a patient’s outcome if that patient was seen at another institution?
Those are just two scenarios of when compliance with patient privacy regulations comes into play.
"It’s amazing how many things might include electronic protected health information," says Kathleen Catalano, director of regulatory compliance services for Dallas-based PHNS Inc.
"Most of the time, quality professionals are the first to embrace all of the rules, and if the institution said no e-mails with protected health information, they would abide," she explains.
In addition, although Joint Commission requirements do not address e-mail specifically, management of information standard (IM.2.10) requires information privacy and confidentiality to be maintained.
If you need to use patient-specific information for various studies, you are required by the Health Insurance Portability & Accountability Act (HIPAA) to de-identify the information by removing 18 direct identifiers, Catalano says.
These include all of the following1:
- names;
- street address, city, county, precinct, zip code;
- all elements of dates (except the year) including birth date, admission date, discharge date, and date of death;
- telephone numbers;
- fax numbers;
- electronic mail addresses;
- Social Security numbers;
- medical record numbers;
- health plan beneficiary numbers;
- account numbers;
- certificate/license numbers;
- vehicle identifiers and serial numbers, including license plate numbers;
- device identifiers and serial numbers;
- web universal resource locators;
- Internet protocol address numbers;
- biometric identifiers, including finger and voice prints;
- full-face photographic images and any comparable images;
- any other unique identifying number, characteristic, or code.
The HIPAA privacy regulations do not apply when protected health information is de-identified by the removal of the 18 enumerated identifiers and after obtaining an expert opinion that a statistically small risk exists that the released information could be used by others to identify the subject of the information, Catalano says.
For e-mail, HIPAA requires that security measures are implemented to guard against unauthorized access to protected health information that is being transmitted over an electronic communications network, she explains.
"If the e-mails are within an intranet — it is considered to be safe passage, but the Internet is considered ripe for theft," Catalano says.
If staff are exchanging e-mails between facilities, all with the same e-mail extension, then these messages stay within your network with safe passage, she notes.
"When e-mail is sent outside of the intranet, it is best if it is encrypted. This safeguards the e-mails," Catalano adds.
Reference
- Fed Reg 82,818 (Dec. 28, 2000). 45 CFR § 164.514(b)(2)(i).
[For more information on privacy regulations, contact:
- Kathleen Catalano, Director, Regulatory Compliance Services, PHNS Inc., One Lincoln Centre, 5400 LBJ Freeway, Suite 200, Dallas, TX 75240. Phone: (972) 701-8042, ext. 216. Fax: (972) 385-2445. E-mail: [email protected].]
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.