For those looking into email issues specifically, please see HealthyEmail, www.healthyemail.org . It's a nonprofit, I'm on the board, and the point of the exercise is to get policy and procedural tools out to support the clinical (principally physician practice) use of email. The other advisors are heavy hitters in this area (Bill Braithwaite, Danny Sands who was principal author of the AMIA email guidelines, Paul Tang, etc.), and we have posted a non-proprietary primer addressing HIPAA and other risks (I am generally more concerned about those "other risks," by the way), patient communications documents, etc.
Disclosure: It's a nonprofit principally supported by a secure messaging vendor which is a client of mine. Well, does anybody know of a health system, governmental agency or academic body who's going to pay for any major new initiative these days? And this way I know who they're listening to for advice. You can judge the merits of their solution for yourself, if you like, or ping me off list for info. The HealthyEmail documentation itself is not tied to the vendor, and is designed to support any clinical use of email. Interested party or not, my take is that if there is reasonably affordable/reasonably easy to use encryption available, the "addressable specification" security rule analysis indicates it should be used if you send ePHI over the Internet with any frequency. John R. Christiansen Preston | Gates | Ellis LLP 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 *Direct: 206.370.8118 *Cell: 206.683.9125 * [EMAIL PROTECTED] Notice: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, content may be modified or corrupted, and headers or signatures may incorrectly identify the sender. If you wish to confirm this message or the identity of the sender, please contact me using a communications channel other than a "reply" to this e-mail. Secure electronic messaging is available and recommended for confidential or sensitive communications. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 4:43 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: New to this list, have two questions. We have been wrestling with this question of e-mail security here too. I am with a large integrated delivery system in New Mexico. Our position, however, is that we will not stop the e-mail until we can agree on a workable technical security approach. We will continue as we have been, while we simultaneously working on a technical security approach (I won't say solution, because there does not appear to be a great "solution" at this time.) We believe it is too risky from a patient care standpoint to completely stop all e-mail, for a couple of reasons: 1) Most of our clinical units use e-mail to communicate with other providers and with patients themselves regarding treatment and care management 2) There have not been any reported problems with security related to this so far (I understand that this doesn't mean there is no risk). Therefore in comparing the benefits and risks to the patient, we felt it was better to continue using e-mail for now. 3) We feel that the advantages of e-mail outweigh the security risks; specifically we see those advantages as: * speed, * written documentation of the communication, and * the fact that both parties don't have to be in communication at the same time (like the phone would require) 4) The best alternative to e-mail would be fax - but that really is not much safer than e-mail from a technical standpoint, and in many cases travels over the same lines. We don't feel like we are buying much in terms of additional security by forcing everyone to use fax. Also, many patients do not have home fax machines. We are currently working on developing a "secure server" approach. We feel that encryption is not realistic since the technology is not standard enough, nor easily usable by clinicians or patients. We see our biggest challenge with any technical approach, is not the technology, but getting our clinicians and administrative staff to adopt it. Most of our planning will be focused on piloting and adoption strategies for this type of technology, from a very practical standpoint. Is any body else seeing the adoption challenges of e-mail security technology? Julie Fulcher HIPAA Project Manager Presbyterian Healthcare Services Albuquerque, New Mexico 87125-6666 (505) 923-6397 [EMAIL PROTECTED] -----Original Message----- From: Doug Webb [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 1:45 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: New to this list, have two questions. Gregory, Just to amplify on Judith's remarks, You are exposed to the risk NOW, not when the final Security Rule fully kicks in. You are accepting a huge risk anytime you expose PHI to the Internet. Remenber that any of the millions of computers on the net can read this if they so choose. Strong encryption appears to be the only way to protect PHI on the Internet. If you would consider putting the information on a post card, perhaps it might be far enough away from PHI to consider mentioning it in an e-mail. E-mail can be accessed by many more people than typical a post card will be exposed to. As to your third question, there are four (at least) WEDI listserves that cover various portions of the topics you mentioned: Privacy, Security, Transactions, and Code Sets. Pick the ones that serve your needs the best. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. Webb Computer System Engineer Little Company of Mary Hospital & Health Care Centers [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." ----- Original Message ----- From: Bentz-Miller, <mailto:[EMAIL PROTECTED]> Judith To: WEDI SNIP Privacy Workgroup <mailto:[EMAIL PROTECTED]> List Sent: Monday, March 24, 2003 02:10 PM Subject: RE: New to this list, have two questions. This was part of our privacy audit due to the following reg: § 164.530 Administrative requirements. (c) (1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. (2) Implementation specification: safeguards. (I) A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart. We knew this was an issue, so we took the "no email to patients" approach also. In our opinion, It is just too big of a risk. Judith Bentz-Miller Privacy Officer Arnett Clinic 765-448-8843 -----Original Message----- From: Gregory Park [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 3:01 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: New to this list, have two questions. One follow-up question/remark/plead for public opinion to your response Deborah. "...no PHI will be sent via email..." Is that now or when? Are you considering yourself at risk now because of the ruling? Just curious as I have heard others in the field drop the "PHI Email" gate immediately as soon as they understood the Security rules. Wouldn't you continue as usual and work towards a reasonable solution effective before 2005? Greg Park Product Manager DB Technology Inc. Office: 800-760-4096 x117 Cell: 484-919-0392 PA Office: 610-397-0288 www.dbtech.com -----Original Message----- From: Deborah Campbell [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 9:39 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: New to this list, have two questions. Here's my opinion. I'd be interested if anyone has other opinions. 1) An email is unprotected as soon as it is sent over the internet. Almost anyone can intercept it. So you need to determine your risk and what you want to do to eliminate it. We have determined that no PHI will be sent via email until we have an encryption solution. 2) It depends what the Case Manager is doing. If they are working "on behalf of the insurance carrier, then they are either an employee of the carrier or a BA of the carrier. If they are doing Quality Assurance on behalf of the carrier, you are permitted to release PHI to them without the need of any contract with them (the carrier would have the contract). Check § 164.506(c)(4) of the August revisions of the Privacy Rule. Deborah Deborah Campbell Compliance Coordinator Dominion Dental Services, Inc. 115 South Union Street, Suite 300 Alexandria, Virginia 22314 Phn: (703) 518-5000 ext. 3035 Fax: (703) 518-8849 Toll Free: 888-518-5338 Email: [EMAIL PROTECTED] ******************************************* The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. ********************************************************************* -----Original Message----- From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] Sent: Monday, March 24, 2003 9:25 AM To: WEDI SNIP Privacy Workgroup List Subject: New to this list, have two questions. Hello List, I am new to this list, so please be patient with me, if I ask any questions that have been addressed repeatedly in the past. Anyway, I am the HIPAA Privacy Officer for a Physician's Group Practice and have just recently finished our first round of "Privacy Training and Education" for the group. Two questions came up that I could not answer specifically: 1) Is there specific direction as to what we can and can not discuss during e-mails between the clinic and patient; and 2) Do we need a contract between Nurse Case Manager's that come in to our office to discuss treatment plans with our doctors (that are contracted by the Insurance Carrier) and our Physician's Group to satisfy "Business Associate Policy" portion of our HIPAA Privacy Rule policies? I appreciate any information available. Also, please let me know if there are other "List-Serves" that are more specific to "Healthcare Privacy, Security & Electronic Transactions." Thank You, Daryl Ewing, CPC RPK Anesthesia, P.A. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/ <http://snip.wedi.org/tracking/> . These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org <http://subscribe.wedi.org> or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org <http://subscribe.wedi.org> --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- PRESBYTERIAN HEALTHCARE SERVICES DISCLAIMER --- This message originates from Presbyterian Healthcare Services or one of its affiliated organizations. It contains information, which may be confidential or privileged, and is intended only for the individual or entity named above. It is prohibited for anyone else to disclose, copy, distribute or use the contents of this message. All personal messages express views solely of the sender, which are not to be attributed to Presbyterian Healthcare Services or any of its affiliated organizations, and may not be distributed without this disclaimer. If you received this message in error, please notify us immediately at [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
