True, what you are emailing is PHI to the email address, that doesn't
always equate to a human being (Emails can be forged), and thus the
release of that information to someone other than the person that it is
truly intended for, could constitute a breach of Privacy/Security
Regulations under HIPAA.
I would use this as a guideline, but I would look to your legal/IS
compliance department for more guidance accordingly. This really should
be a discussion between the Doctor and the patient accordingly.
* ePHI = Electronic Protected Health Information
* Medical record number, account number or SSN
* Patient demographic data, e.g., address, date of birth,
date of death, sex, e-mail / web address
* Dates of service, e.g., date of admission, discharge
* Medical records, reports, test results, appointment
dates
1) E-mail is not confidential, nor should it be utilized to send
information of a confidential nature.
2) E-mails should not be used to communicate sensitive medical
information, such as information regarding sexually transmitted
diseases, AIDS/HIV, mental health, developmental disability, or
substance abuse.
Hope that helps a little, honestly, I wouldn't send it, because there is
no assurance that the person you are sending it to are whom they say
they are.
EZ
Edward Ziots
CISSP,MCSA,MCP+I,Security +,Network +,CCA
Network Engineer
Lifespan Organization
401-639-3505
[email protected]
From: paul d [mailto:[email protected]]
Sent: Thursday, May 13, 2010 3:59 PM
To: NT System Admin Issues
Subject: RE: HIPAA Question
I'm not sure what you mean by "viral load." However, if that is a lab
result, the fact that you're emailing it to him constitutes PHI (email
address). HIPAA, as it is interpreted now, defines email as an
"addressable" not a requirement. But, if something happened (sent to
wrong email, for example), I doubt you could convince CMS that it wasn't
a violation.
You could use Pkzip to encrypt a file with the information and then
email that. The newer versions of pkzip use AES.
________________________________
From: [email protected]
To: [email protected]
Subject: HIPAA Question
Date: Thu, 13 May 2010 15:22:20 -0400
Guys, I have a quick HIPAA question. We work with people infected with
HIV. A patient that lives out of state is asking us to email him info
about his viral load. Any suggestions for how to email that info or get
that info to him somehow? If the email content doesn't contain
identifying info, is it ok?
James
________________________________
The New Busy think 9 to 5 is a cute idea. Combine multiple calendars
with Hotmail. Get busy.
<http://www.windowslive.com/campaign/thenewbusy?tile=multicalendar&ocid=
PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5>
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
