These days we use email for everything. We use it to communicate with our staff, our bosses and our vendors. The problem for those of us who work with patient documentation is the proper handling of PHI.
Many facilities now have encrypted email systems where they can encrypt a particular email that contains PHI. This allows them to send what they need to send securely. The receiver has to use a password or pass phrase to read the email. This is an excellent option, but what if it isn’t available to you?
If you don’t have a way to encrypt an email that contains PHI, you should not send it over regular email. Depending on the information you need to send, you can remove parts of the name and replace them with an “X” or other character. For example, Allard, Linda would become AXXXXX, LXXXX. The same is true of any information you are sending that is considered PHI.
Something many people forget about is replies and forwards of emails they receive. If someone sends you an email that contains PHI and you reply to it, you have now caused PHI to be transmitted insecurely twice. The reason is that most email systems automatically include the original text of an email in the reply. If there was more than one person on the original email and you used reply all, it is an even bigger problem.
So what do you do if you receive an email where the PHI in it has not been removed and no encryption has been used? First you should check to see if your facility has a policy concerning how this situation should be handled. The key thing is to make sure that you remove the PHI from the email before you either reply to or forward it. You can use the same simple steps suggested above. Make sure you handle all PHI contained in the email (names, account numbers, dates of birth, phone numbers, etc). Replace the information that needs to be hidden with other letters or characters. The idea is to ensure that the patient cannot be identified. I also suggest that you note within the email that PHI has been removed. That way, if others were on the original email thread they won’t accidently resend the PHI.
If you deal with PHI regularly, you should make it a point to re-read your emails and look closely at everything you are sending or resending to make sure PHI has been removed correctly. Be especially careful where long email threads are involved. We are all busy and have multiple responsibilities, but protecting our patients’ data should be in our thoughts at all times.
No related posts.