12 Ways to Minimize Fax and E-Mail Risks
Published on Fri Sep 19, 2003
Expert methods to protect PHI
If you want to stay out of the courthouse and the newspapers, follow these personal health information faxing and e-mailing tips from Gwen Hughes with Care Communications in Chicago.
For faxing:
Make sure you're sending your faxes to the right place. Double-check every fax number before hitting "Send." If you preprogram any numbers, make sure you double-check these as well before saving them.
Put your fax machine in a secure place. Don't leave it sitting on a counter in the waiting room, visible to patients and others who should not have access.
Put a confidentiality coversheet on every fax. The box below provides one example. Periodically remind providers and business partners that they need to tell you ASAP if their fax numbers change.
Remember that you - not the patient - need to be vigilant about protecting PHI. "Sometimes [patients] want you to fax a copy of their health information to them," Hughes says, but they might not realize the potential for disaster. The provider is responsible for taking the extra step and explaining to the patient exactly what this entails.
Ask the patient where he is: Is he at home, at work, or at a Kinko's downtown? If he is anywhere but at home, remind him that what he's asking you to fax is his personal medical information, and point out that he might not want to do this if he isn't going to be hovering over the fax machine waiting for the info to come through.
For e-mailing:
Make sure you have encryption software.
Put a confidentiality disclaimer in your e-mail template. (See the disclaimer at the end of this article for an example.)
Explain the risks to patients. Again, the onus is on you and your office - not the patient - to make sure that misdirected, intercepted, or inappropriate e-mails don't jeopardize patient privacy. Don't assume that patients know how e-mail works, and don't let them assume you can respond to their e-mails faster than you can.
Determine which of your colleagues should be allowed to e-mail PHI. Make sure that they're well trained, Hughes warns, and that no one else can e-mail PHI.
Print out all e-mails and save the hard copies as part of the patient's medical record. Keep a list of patients who e-mail so that you can notify them if your system is temporarily taken down. This will prevent situations in which they send you important e-mails at a time when you can't access them.
Don't forward patient-identifiable information to a third party unless you have the patient's authorization to do so.
Don't e-mail extra-sensitive PHI. Some kinds of communications should not be conducted through e-mail. A
Attorney Robyn Meinhardt with Foley & Lardner in Denver points to results of HIV tests as an egregious example. Providers and payers should determine which types of information will not be sent through e-mail, and should make sure patients are clear on that policy.