Question: I sometimes e-mail patient records to consultants for help on how to bill. How can I make sure I’m not committing a HIPAA violation?
Answer: Although asking for help might seem like a simple request, it can lead to trouble with HIPAA if you don’t go about it in the right way. The key to keeping things above board is to remove all identifying information from the report before you send it.
Here’s how: Under HIPAA’s Privacy Rule, you have to make sure you don’t send protected health information (PHI) by removing all individually identifiable health information, including health information that reasonably allows individual identification. In general, HIPAA is based on reasonableness.
Best bet: Only send the portions of the report that describe the clinical procedure and findings, and include a confidentiality notice at the end of your e-mail. This guideline applies whether you send the e-mail from an office or from home.
Specifics: Before you send the report by e-mail, remove the patient’s name and Social Security number. You should also remove geographic identifiers, dates, phone, fax, and e-mail information, and medical record and device serial numbers. Then you read through the report before you send it to be sure you can reasonably assume the patient is no longer identifiable.
Experts advise that for extra security, you send an encrypted email to keep information safe.
Arkansas Subscriber