Cardiology Coding Alert

North Carolina Subscriber

Answer: When you send PHI, such as a portion of the patient’s medical record, you are responsible for protecting outbound emails. Using encrypted emails would be the best option for security purposes when sending PHI via email.

Caution: Your practice should establish a validation procedure so that if a patient asks you to email them something, you can determine whether it is an authentic request.

Incoming: Regarding incoming emails, once an email is received, it is considered electronic PHI (ePHI). When you change the format (by scanning paper records into an email, for example), you must develop proper access controls so that only authorized users can see that document.

Best practice: You should store electronic documents on a central server where users can know that the intended recipient actually received the information. Ensure that the server is well-secured and protected. If you’re using an outside vendor, ensure the vendor is HIPAA-compliant.

“The covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules,” according to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Bottom line: You must have procedures in place to ensure that you send emails to the right place or person. Additionally, when you receive an email, be sure it has the same protections as the rest of your ePHI.