They're usually referred to as Privacy or Security officers. For example, a CISO. For HIPAA, there can also be a compliance officer. And, to the OP, you'll eventually have to come up with some way to electronically deliver the data as it's part of the meaningful use act; you have to be able to give a patient their medical record by electronic means if they so desire.
Subject: RE: HIPAA Question Date: Fri, 14 May 2010 10:09:32 +0100 From: [email protected] To: [email protected] Good God please don't do that! Password protected Word documents do not stand up to scrutiny. I don't work withy HIPAA at all, but I have worked within UK FSA and DPA guidelines for PII type data. If the patient demands it, you can send it unencrypted (we did this with voice recordings on CD .. policy was all CDs/DVDs had to be encrypted, but if a customer demanded a recording of a call we could send an audio CD via Registered Post (they must sign)). Personally, I would advise the patient of the issues around this action and offer to post it via some recorded method. If they wanted it electronically - perhaps you have some portal they can register on and log into to retrieve results? If it has to be email, they could send you an email requesting it that you respond to (helps with audit trail). I would suggest encryption - we use S/MIME a lot as it's easy for users in comparison to PGP and the like. Whatever you do, it should be based on having a policy and something your data protection officer (do you have such people in the US!?) and legal team are happy with. Going outside the loop tends to get you fired if it goes pear shaped ... a From: John Cook [mailto:[email protected]] Sent: 13 May 2010 21:34 To: NT System Admin Issues Subject: Re: HIPAA Question Put it into a passworded Word doc and verbally give them the password. From: James Kerr <[email protected]> To: NT System Admin Issues <[email protected]> Sent: Thu May 13 15:22:20 2010 Subject: HIPAA Question Guys, I have a quick HIPAA question. We work with people infected with HIV. A patient that lives out of state is asking us to email him info about his viral load. Any suggestions for how to email that info or get that info to him somehow? If the email content doesn't contain identifying info, is it ok? James CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" _________________________________________________________________ The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multicalendar&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
