Sending Protected Health Information (PHI) by email exposes the PHI to two risks:
• The email could be sent to the wrong person, usually because of a typing mistake or selecting the wrong name in an auto-fill list.
• The email could be captured electronically.
HIPAA requires that we take reasonable steps to protect against these risks but acknowledges that a bal- ance must be struck between the need to secure PHI and the need to ensure that clinicians can efficiently exchange important patient care information. The MidSouth Rehab’s HIPAA Policy on Communicating PHI via Email (MR-080) and Personal Device Policy (MR-075) strikes a reasonable balance.
You must continue to observe the following rules:
• Limit the information you include in an email to the minimum necessary for your clinical or billing purpose.
• Whenever possible, avoid transmitting highly sensitive PHI (for example, mental health, substance abuse, or HIV information) by email.
• Never use automatic forwarding with your midsouthrehab.com email account.
• Never send PHI by email unless you have verified the recipient’s address (for example, from a director or a previous email) and you have checked and double-checked that you have entered the address correctly.
• Always include a privacy statement notifying the recipient of the insecurity of the email and providing a contact to whom a recipient can report a misdirected message. This statement is on all midsouthrehab.com emails by default that go outside of our domain.
You may continue sending PHI by email from one midsouthrehab.com email address to another midsouthrehab.com email address or to a MidSouth Rehab partner email address (including trilogy- health.com, casamba.net, and yalobushageneral.com) so long as you follow the rules above.
You may exchange PHI by email outside the midsouthrehab.com network, so long as you follow the rules above AND so long as one of the circumstances below applies:
1. The email is being sent to a non-MidSouthRehab clinician AND it contains information urgently needed for patient care AND the patient identifiers are limited to name, date of birth, medical record number, or phone number, as needed.
OR
2. The email is being sent to a non-MidSouthRehab clinician AND it must be transmitted in a timely manner, AND it contains no direct identifiers (name, address, Social Security number, date of birth, phone/ fax numbers, or patient email address) and no highly sensitive PHI (for example, mental health, substance abuse, or HIV-related information).
Note: Less direct identifiers such as medical record number or initials (for example, “Mr. S”) may be included.
OR
3. The patient or research subject has agreed to the use of email by completing a Consent for Email Communication form
OR
4. The email is encrypted through a secure messaging system such as encrypted MidSouthRehab email.
Note: All email that contain PHI sent to external destinations shall be encrypted prior to delivery by placing the keyword “Encrypt” in the subject line.
Please note that the circumstances set out above include different time elements. You may send PHI by email to non-MidSouthrehab clinicians (circumstances 1 or 2) only if the information must be communicat- ed in an urgent or timely manner. There is no timeliness requirement attached to circumstances 3 or 4.
Remember:
• These guidelines attempt to minimize the risk of a breach of privacy, but they do not eliminate that risk.
• If you discover that an email with PHI has been misdirected, you must immediately report it to the privacy/security officer: Clinton Mayes at 601-605-6777 ext: 1346 or hotline: 800-259-2417
Frequently Asked Questions
Can I send an encrypted email
with attachments?
Yes. When you encrypt the email by adding [encrypt] to the start of the subject line, both the message itself and any attachments are encrypted.
What do I do if a patient sends me an unencrypted email?
Patients can send their own information in any way that they deem appropriate, including via unencrypted email. Before responding to a patient’s email, it is important to verify that the email is in fact from the patient. Some things to consider:
•Is the email address the same as the email address that is on file?
• Does the email contain information that only the patient would know?
If there is any doubt about the authenticity of the sender, contact the patient using the phone number on file in the EMR system.
In responding to a patient’s unencrypted email, you have several options:
• Respond to the patient using encrypted email.
• Review the patient’s chart to see if they have consented to the use of unencrypted email using the HIPAA Email Authorization form or the HIPAA Representative form.
• Respond to the patient via unencrypted email without including any PHI, including deleting any PHI that the patient had previously sent to you. In your initial response, it would be advisable to confirm that the patient would like to continue sending PHI via unencrypted email.
How do I know if a patient has authorized the use of unencrypted email?
The following are indicators that the patient has been warned of the risks of unencrypted email and has authorized its use:
• Signed authorization for communication form has been scanned into the EMR system and on file with MidSouthRehab.
• There is an email address listed in the patient demographics screen of patient registration. (Note: Staff members are expected to remind patients of the risks of unencrypted email when requesting email addresses verbally.)
• The patient indicates in the email that he or she approves the use of unencrypted email.
Clinton Mayes, CHPC, CHSP
Director of IT