Reader Questions:
Keep PHI Out of Outsiders' Inboxes
Published on Sun Feb 11, 2007
Question: I sometimes e-mail patient records to consultants or other coders for help on how to bill. How can I make sure I-m not committing a HIPAA violation? Oregon Subscriber Answer: A simple request for help can land you in plenty of trouble with HIPAA. The key is to remove all identifying information from the report before you send it. Here's how: Under HIPAA's Privacy Rule, you can make sure you don't send protected health information (PHI) by removing all individually identifiable health information, including health information that reasonably allows individual identification. In general, HIPAA is based on reasonableness. Best bet: Only send the portions of the report that describe the clinical procedure and findings and include a confidentiality notice at the end of your e-mail. This guideline applies whether you send the e-mail from an office or from home. Example: Before you send out the report by e-mail, you remove the patient's name and social security number. You also remove geographic identifiers, dates, phone, fax, and e-mail information, and medical record and device serial numbers. Then you read through the report before you send it to be sure you can reasonably assume the patient is no longer identifiable. Option: For extra security, you can send an encrypted e-mail to keep information safe. -- The answers for You Be the Coder and Reader Questions were reviewed by Cindy C. Parman, CPC, CPC-H, RCC, co-owner of Coding Strategies Inc. in Powder Springs, Ga., and past-president of the American Academy of Professional Coders National Advisory Board.