email

HIPAA E-mail Security

February 6, 2012

Background

More and more people are using e-mail to communicate with friends, family, colleagues, and businesses. However, only a small percentage of physicians and healthcare providers regularly use e-mail to communicate with patients.

Advantages

The advantages of e-mail communication between providers and patients are numerous and include the elimination of telephone tag and voice mail messages; the ability to attach educational materials or test results; and improved documentation as compared to that traditionally associated with telephone calls and physician recollection of patient-provider discussion. When used in addition to, rather than as a substitute for, face-to-face communication, e-mail may also enhance the patient/provider relationship.

Risks

There are risks, however, associated with the use of e-mail by patients and providers to discuss health-related matters. The risks include information leakage, data integrity violations, repudiation, and others. Following is a brief overview of the major issues.

Information Leakage:

1) Employers and online services retain the right to archive and inspect messages transmitted through their systems.

2) Either party might accidentally send an e-mail to the wrong person.

3) E-mail might be left visible on an unattended terminal.

4) E-mail can be printed, circulated, forwarded, and stored in numerous paper and electronic files.

5) E-mail is discoverable for legal purposes.

6) A person authorized to access the information might use it for an unauthorized purpose or disclose it to an unauthorized party.

7) Confidential health information might be obtained by an unauthorized entity from discarded media.

8) E-mail may be vulnerable to computer hackers who could then transmit the information for illegitimate purposes.

9) Phony e-mail could dupe legitimate users into voluntarily giving up sensitive information.

Data Integrity Violations:

1) E-mail is easily intercepted and altered without detection.

2) E-mail can be used to introduce viruses into computer systems.

3) An impostor can forge e-mail.

Repudiation:

1) A party to the communication could falsely deny that the exchange of information ever took place.

Other Risks

1) The sender may assume, but doesn’t necessarily know, that his/her message was delivered.

2) The recipient might not check his messages within the time frame the sender expects.

3) The attachments embedded in the e-mail might be in a format the recipient’s software can’t read.

4) E-mail can be misinterpreted. Without verbal and nonverbal feedback, the sender can’t confirm that his/her messages are understood.

Safeguards can be devised and implemented against most threats. However, these are not without costs.

Legal and Regulatory Requirements.

Federal statutes and regulations that address patients’ right to privacy of health information include the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare Conditions of Participation, and the Code of Federal Regulations relative to Alcohol and Drug Abuse.

HIPAA contains requirements that health information be protected against threats to security, integrity, and unauthorized use. A notice of proposed rule making (45 CFR, Parts 160-164) published Nov. 3, 1999, proposed standards to protect the privacy of individually identifiable health information maintained or transmitted electronically in connection with certain administrative and financial transactions.

The Conditions of Participation with which healthcare facilities must comply to be eligible for Medicare funds vary based on the healthcare entity. The conditions are as follows:

1) Hospitals: “The hospital must have a procedure for ensuring the confidentiality of patient records. Information from or copies of records may be released only to authorized individuals, and the hospital must ensure that unauthorized individuals cannot gain access to or alter patient records.”

2) Home health agencies: “Clinical record information is safeguarded against loss or unauthorized use.”

3) States and long term care: “The resident has the right to personal privacy and confidentiality of his or her personal and clinical records.”

4) Comprehensive outpatient rehabilitation facilities: “The facility must safeguard clinical record information against loss, destruction, or unauthorized use.”

5) Critical access hospitals: “The facility must safeguard the clinical information against loss, destruction or unauthorized use.”

6) Outpatient physical therapy services furnished by physical therapists in independent practice: “Clinical record information is recognized as confidential and is safeguarded against loss, destruction, or unauthorized use.”

The Privacy Act of 1974 mandates that federal information systems must protect the confidentiality of individually identifiable data. Section 5 U.S.C. 552a (e) (10) of the act is very clear: federal systems must “establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.”

Further, a HCFA Internet Security Policy issued in November 1998 states that “a complete Internet communications implementation must include adequate encryption, employment of authentication or identification of communications partners, and a management scheme to incorporate effective password/key management systems.” The policy is meant to establish the basic security requirements that must be addressed to transmit HCFA Privacy Act protected and other sensitive HCFA information over the Internet.

www.bestitdocuments.com