I told the practice manager not to send it because I believed that the email
address itself is PHI and even if you encrypt the data the email address is
still out there as well as ours and we are obviously a company that deals in
HIV/AIDS. I also told her "what if a family member opens that email that is not
aware of this persons status and the person doesn't want that family member to
know?". They are going to have to find another way.
James
----- Original Message -----
From: Ziots, Edward
To: NT System Admin Issues
Sent: Thursday, May 13, 2010 4:30 PM
Subject: RE: HIPAA Question
True, what you are emailing is PHI to the email address, that doesn't always
equate to a human being (Emails can be forged), and thus the release of that
information to someone other than the person that it is truly intended for,
could constitute a breach of Privacy/Security Regulations under HIPAA.
I would use this as a guideline, but I would look to your legal/IS compliance
department for more guidance accordingly. This really should be a discussion
between the Doctor and the patient accordingly.
a.. ePHI = Electronic Protected Health Information
a.. Medical record number, account number or SSN
b.. Patient demographic data, e.g., address, date of birth, date of
death, sex, e-mail / web address
c.. Dates of service, e.g., date of admission, discharge
d.. Medical records, reports, test results, appointment dates
1) E-mail is not confidential, nor should it be utilized to send
information of a confidential nature.
2) E-mails should not be used to communicate sensitive medical
information, such as information regarding sexually transmitted diseases,
AIDS/HIV, mental health, developmental disability, or substance abuse.
Hope that helps a little, honestly, I wouldn't send it, because there is no
assurance that the person you are sending it to are whom they say they are.
EZ
Edward Ziots
CISSP,MCSA,MCP+I,Security +,Network +,CCA
Network Engineer
Lifespan Organization
401-639-3505
[email protected]
From: paul d [mailto:[email protected]]
Sent: Thursday, May 13, 2010 3:59 PM
To: NT System Admin Issues
Subject: RE: HIPAA Question
I'm not sure what you mean by "viral load." However, if that is a lab
result, the fact that you're emailing it to him constitutes PHI (email
address). HIPAA, as it is interpreted now, defines email as an "addressable"
not a requirement. But, if something happened (sent to wrong email, for
example), I doubt you could convince CMS that it wasn't a violation.
You could use Pkzip to encrypt a file with the information and then email
that. The newer versions of pkzip use AES.
------------------------------------------------------------------------------
From: [email protected]
To: [email protected]
Subject: HIPAA Question
Date: Thu, 13 May 2010 15:22:20 -0400
Guys, I have a quick HIPAA question. We work with people infected with HIV. A
patient that lives out of state is asking us to email him info about his viral
load. Any suggestions for how to email that info or get that info to him
somehow? If the email content doesn't contain identifying info, is it ok?
James
------------------------------------------------------------------------------
The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with
Hotmail. Get busy.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
