Tell me the truth (but don’t say it out loud)…are you emailing ePHI? If you are, we need to talk. Every office I go into to do a security risk assessment tells me they NEVER email ePHI. As I peel back the onion, I find out they are indeed emailing ePHI. So now what? I can tell them to stop, but they are not going to. In some cases, they argue with me telling me that what they are sending is NOT ePHI. So let’s start with a good identification of exactly what is ePHI.
What information is considered protected?
In a nutshell, the privacy rule protects all “individually identifiable health information.” This includes demographic data that relates to:
- The person’s past, present or future physical or mental health condition.
- The provision of health care to the individual
- The past, present or future payment for health care provided to the individual.
Individually identifiable health information includes many common identifiers, such as name, address, date of birth, and social security number.
De-Indentified Health Information
There are no restrictions on the user or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify and individual. Therefore, you should not email a patient appointment information.
Keep in mind that you cannot control what come in to YOUR email. For example, if a patient decides to sent you a picture of a bump on their head, that is not in your control. Still, you should have a policy in place to remove these items from your email, phone or tablet. You certainly don’t want patient information lingering around.
How can you securely email patient information?
There are a few ways. What I find the best, is to use Office 365. Office 365 is a subscription based email that we are switching most of our clients over to. The cost is somewhere between $4.00 and $12.50 per mailbox, depending on what features you want, e.g. Word, Excel, PowerPoint, etc. If you would like encryption, it would cost you an additional $2.00 per mailbox. Not bad for a little safety!
Another way to send secure email is through your EMR. It is required that they have a portal to share notes, results and emails with patients. Personally, I think that is your best bet. If you have a portal, use it. It also makes you look “high tech” with the patient!
As painful as it might be, do a check in your office to see if anyone is sending ePHI through email. If so, you most likely will want to fix the problem.