Cyber security remains a hot topic in the world of health data. When it comes to patient privacy, there’s no such thing as “too careful.” Although disclosure of PHI is necessary for billing functions, often more information is used than is actually needed to complete the task, especially e-PHI used in emails between staff and associated vendors.
Business offices must comply with HIPAA requirements, but these requirements should be considered as the minimum and serve as a baseline for an organization’s policy for PHI in emails. According to HHS, The Security Rule does not forbid the use of email for sending e-PHI. However, it does require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.
Sometimes I look at my inbox and am shocked by the number of emails I get with a patient name in the subject line. I always wonder if my name is ever the subject line when my healthcare provider runs into issues with payment of my claims. I would hate thinking my name is sitting out in some email server for who knows how long?
What is your standard on use of patient names in the Business Office? Is the patient name critical in resolving payment issues? Maybe it is time to rethink these practices, and rather than “adequate”, aim for “airtight” when it comes to rules surrounding sensitive PHI and where it is seen, even internally. Here are some suggestions:
- Prohibit the use of a patient name in internal or external emails. If the patient name is necessary for some reason, keep it to the body of the email (not the subject line) and make sure it is sent using encryption.
- Take a look at all standard internal reports and ATB’s for patient names. Question whether or not the patient names are truly necessary. This reduces the risk of a report being emailed internally or externally with patient names, which are clearly more identifiable than patient control numbers.
- Make sure your policy includes a statement that says “PHI may be distributed to multiple recipients; however, the use of distribution lists is prohibited.” PHI is to be distributed only to those with a legitimate “need to know”. Distribution lists for informational purposes are not “need to know”. Reports that are sent to distribution lists should include minimum necessary and really not contain PHI.
- If replying to an e-mail that contains PHI in the subject line, or PHI other than medical record number, account number, or date of service in the body, the PHI must be deleted before the reply can be sent.
Protect your patients’ privacy. When composing or replying to emails, working accounts and reports, always ask yourself “Is the PHI relevant to my billing issue?” Implement and closely follow these e-PHI rules to safeguard against misuse of patient information.