Pediatric Coding Alert

Are You HIPAA-Compliant?

12 ways to minimize fax and e-mail risks

If you want to stay out of the courthouse and the newspapers, follow these personal health information faxing and e-mailing tips from Gwen Hughes with Care Communications in Chicago.

For faxing:
 

  • Make sure you're sending your faxes to the right place. Double-check every fax number before hitting "Send." If you preprogram any numbers, make sure you double-check these as well before saving them.

     
  • Put your fax machine in a secure place. Don't leave it sitting on a counter in the waiting room, visible to patients and others who should not have access.

     
  • Put a confidentiality coversheet on every fax. The box below provides one example. Periodically remind providers and business partners that they need to tell you ASAP if their fax numbers change.

     
  • Remember that you - not the patient - need to be vigilant about protecting PHI. "Sometimes [patients] want you to fax a copy of their health information to them," Hughes says, but they might not realize the potential for disaster. The provider is responsible for taking the extra step and explaining to the patient exactly what this entails.

     
  • Ask the patient where he is: Is he at home, at work, or at a Kinko's downtown? If he is anywhere but at home, remind him that what he's asking you to fax is his personal medical information, and point out that he might not want to do this if he isn't going to be hovering over the fax machine waiting for the information to come through.

    For e-mailing:
     

  • Make sure you have encryption software.

     
  • Put a confidentiality disclaimer in your e-mail template. (See the disclaimer at the end of this article for an example.)

     
  • Explain the risks to patients. Again, the onus is on you and your office - not the patient - to make sure that misdirected, intercepted, or inappropriate e-mails don't jeopardize patient privacy. Don't assume that patients know how e-mail works, and don't let them assume you can respond to their e-mails faster than you can.

     
  • Determine who on your staff should be allowed to e-mail PHI. Make sure they're well trained, Hughes says, and that no one else can e-mail PHI.

     
  • Print out all e-mails and save the hard copies as part of the patient's medical record. Keep a list of patients who e-mail so you can notify them if your system is temporarily taken down. This will prevent situations in which they send you important e-mails at a time when you can't access them.

     
  • Don't forward patient-identifiable information to a third party unless you have the patient's authoriz-ation to do so.

     
  • Don't e-mail extra-sensitive PHI. Some kinds of communications should not be conducted by e-mail. Attorney Robyn Meinhardt with Foley & Lardner in Denver points to results of HIV tests as an egregious example. Providers and payers should determine   which types of information will not be sent through e-mail, and they should make sure patients are clear on that policy.


    Fax and E-Mail Confidentiality Disclaimer

    Providers who fax or e-mail protected health information should place disclaimers in their fax coversheets or at the end of their e-mails, attorneys say. John Gilliland of Gilliland & Caudill in Indianapolis offers this template:

    This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. If you are not the intended recipient(s), you are notified that the dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail [or fax] address or the telephone number above and delete this e-mail from your computer [or discard this fax]. Thank you.

  • Other Articles in this issue of

    Pediatric Coding Alert

    View All