Posts

Email Messages and HIPAA Electronic mail messages

Email Messages and HIPAA Electronic mail messages (”email”) is an economical and timely manner for doctors and patients to communicate with each other and is discussed in the Code of Federal Regulations, 45 CFR 164 522 (b). The prevailing principle is that covered entities (doctors) are not restricted from using email to leave messages for appointments or dispensing of product, but that the content of the message must be “the minimal necessary amount”. However, if the patient specifically restricts email or phone messages, the doctor cannot still use those channels to communicate with the patient. The next question is whether all email from a doctor needs to be secure. In most cases, if the patient authorizes the doctor, the doctor can use email to send a message to a patient. It is not required that all correspondence between a doctor and patient be secure, but ensuring that the doctor might unintentionally release protected health information (PHI), the doctor should consider using only secure email. A popular program, Google Mail (also known as “GMail”) is not HIPAA compliant because it relies solely on Secure Socket Layer (SSL) as the form of encryption. This makes the transport secure but not the content. HIPAA requires the content to also be secure which what encryption of the content will do. There are a number of encrypted email providers that meet the HIPAA requirements and can be found through a query on the Internet. An example of minimum necessary information through an insecure email or unencrypted email content is “Ms. Smith, please call (123) 456-7890 Dr. ABC” . The doctor should avoid saying what the call is for or by identifying the specialty of the doctor. Even if the patient explicitly authorizes the doctor for normal email messaging, the doctor should still observe the minimal necessary PHI. This also includes telephone or text messages. In summary, the doctor should use secure email providers to send messages with the minimum necessary information.
Tips4EyeDocs, Richard Hom OD Dr. Hom is a noted security and computer blogger.

HIPAA and Sign-in Sheets

Richard Hom as #Tips4EyeDocs – HIPAA and Sign-in Sheets

Doctors invariably use sign-in forms or computer tablets/terminals to identify patients for appointments or walk ins. Typically, the sign-in form may lie near the reception desk where the patient first engages the office. The question is how much liability to HIPAA violations do sign in sheets expose doctors.

According to CFR 45 CFR 164.502(a)(1)(iii), doctors “may use sign-in sheets or call out patients in waiting rooms, so long as the information disclosed is appropriately limited. Furthermore, HIPAA explicitly permits this, but it should not include any other information about the patient’s medical background.[1]

Unfortunately, the opinions vary on what is potential medical information to be released. There is a possibility that the specialization of the doctor may already by too much information and may expose a doctor to a complaint for a breach. [2] For instance, if there is a space for “reason for visit”, this may exceed the minimum information necessary to identify a patient. The permitted entries are: date, name, arrival and appointment times who the appoint is with.[3]

In summary, use a sign in sheet and call the patient from the reception area. However, limit what you say in public.

 

References

[1] N.a. “Code of Federal Regulations.” Gpo.gov. 7 Jun. 2016. Web. 15 Dec. 2017. <https://www.gpo.gov/fdsys/pkg/CFR-2003-title45-vol1/xml/CFR-2003-title45-vol1-sec164-502.xml>
[2] Ferran, T. “Are Patient Sign In Sheets HIPAA Compliant?.” Blog.securitymetrics.com. 14 Dec. 2017. Web. 15 Dec. 2017. <http://blog.securitymetrics.com/2014/08/sign-in-sheets.html>
[3] Touchstone Compliance. “What the HIPAA Privacy Rule Says about Patient Sign-In Sheets.” Touchstone Compliance. 7 Feb. 2015. Web. 15 Dec. 2017. <https://wwwhttps://www.gpo.gov/fdsys/pkg/CFR-2003-title45-vol1/xml/CFR-2003-title45-vol1-sec164-502.xml.touchstonecompliance.com/what-the-hipaa-privacy-rule-says-about-patient-sign-in-sheets/>