Cyber security remains a hot topic in the world of health data. When it comes to patient privacy, there’s no such thing as “too careful.” Although disclosure of PHI is necessary for billing functions, often more information is used than is actually needed to complete the task, especially e-PHI used in emails between staff and associated vendors.
Business offices must comply with HIPAA requirements, but these requirements should be considered as the minimum and serve as a baseline for an organization’s policy for PHI in emails. According to HHS, The Security Rule does not forbid the use of email for sending e-PHI. However, it does require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.
Sometimes I look at my inbox and am shocked by the number of emails I get with a patient name in the subject line. I always wonder if my name is ever the subject line when my healthcare provider runs into issues with payment of my claims. I would hate thinking my name is sitting out in some email server for who knows how long?
What is your standard on use of patient names in the Business Office? Is the patient name critical in resolving payment issues? Maybe it is time to rethink these practices, and rather than “adequate”, aim for “airtight” when it comes to rules surrounding sensitive PHI and where it is seen, even internally. Here are some suggestions:
Protect your patients’ privacy. When composing or replying to emails, working accounts and reports, always ask yourself “Is the PHI relevant to my billing issue?” Implement and closely follow these e-PHI rules to safeguard against misuse of patient information.
efficientC offers a full suite of tools to ensure compliance throughout the claim cycle. Watch an intro video or give us a call at (800) 799-7469.