For those looking into email issues specifically, please see HealthyEmail,
www.healthyemail.org . It's a nonprofit, I'm on the board, and the point of
the exercise is to get policy and procedural tools out to support the
clinical (principally physician practice) use of email. The other advisors
are heavy hitters in this area (Bill Braithwaite, Danny Sands who was
principal author of the AMIA email guidelines, Paul Tang, etc.), and we have
posted a non-proprietary primer addressing HIPAA and other risks (I am
generally more concerned about those "other risks," by the way), patient
communications documents, etc.

Disclosure: It's a nonprofit principally supported by a secure messaging
vendor which is a client of mine.  Well, does anybody know of a health
system, governmental agency or academic body who's going to pay for any
major new initiative these days? And this way I know who they're listening
to for advice. You can judge the merits of their solution for yourself, if
you like, or ping me off list for info. The HealthyEmail documentation
itself is not tied to the vendor, and is designed to support any clinical
use of email.

Interested party or not, my take is that if there is reasonably
affordable/reasonably easy to use encryption available, the "addressable
specification" security rule analysis indicates it should be used if you
send ePHI over the Internet with any frequency. 

John R. Christiansen
Preston | Gates | Ellis LLP
925 Fourth Avenue, Suite 2900
Seattle, Washington 98104
*Direct: 206.370.8118 *Cell: 206.683.9125
* [EMAIL PROTECTED]
Notice: Internet e-mail is inherently insecure. Unencrypted e-mail may be
accessible to unauthorized viewers, content may be modified or corrupted,
and headers or signatures may incorrectly identify the sender. If you wish
to confirm this message or the identity of the sender, please contact me
using a communications channel other than a "reply" to this e-mail. Secure
electronic messaging is available and recommended for confidential or
sensitive communications.
 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, March 24, 2003 4:43 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: New to this list, have two questions.


We have been wrestling with this question of e-mail security here too.
I am with a large integrated delivery system in New Mexico.
 
Our position, however, is that we will not stop the e-mail until we can
agree on a workable technical security approach.
We will continue as we have been, while we simultaneously working on a
technical security approach 
(I won't say solution, because there does not appear to be a great
"solution" at this time.)
 
We believe it is too risky from a patient care standpoint to completely stop
all e-mail, for a couple of reasons:
1) Most of our clinical units use e-mail to communicate with other providers
and with patients themselves regarding treatment and care management
2) There have not been any reported problems with security related to this
so far (I understand that this doesn't mean there is no risk).  Therefore in
comparing the benefits and risks to the patient, we felt it was better to
continue using e-mail for now.
3) We feel that the advantages of e-mail outweigh the security risks;
specifically we see those advantages as:  

*       speed, 
*       written documentation of the communication, and 
*       the fact that both parties don't have to be in communication at the
same time (like the phone would require) 

4) The best alternative to e-mail would be fax - but that really is not much
safer than e-mail from a technical standpoint, and in many cases travels
over the same lines.  We don't feel like we are buying much in terms of
additional security by forcing everyone to use fax.  Also, many patients do
not have home fax machines.
 
We are currently working on developing a "secure server" approach.
We feel that encryption is not realistic since the technology is not
standard enough, nor easily usable by clinicians or patients.
 
We see our biggest challenge with any technical approach, is not the
technology, but getting our clinicians and administrative staff to adopt it.
Most of our planning will be focused on piloting and adoption strategies for
this type of technology, from a very practical standpoint.
 
Is any body else seeing the adoption challenges of e-mail security
technology?
 
Julie Fulcher 
HIPAA Project Manager 
Presbyterian Healthcare Services 
Albuquerque, New Mexico 87125-6666 
(505) 923-6397 
[EMAIL PROTECTED] 

 

-----Original Message-----
From: Doug Webb [mailto:[EMAIL PROTECTED]
Sent: Monday, March 24, 2003 1:45 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Re: New to this list, have two questions.


Gregory,
Just to amplify on Judith's remarks,
You are exposed to the risk NOW, not when the final Security Rule fully
kicks in.
You are accepting a huge risk anytime you expose PHI to the Internet.
Remenber that any of the millions of computers on the net can read this if
they so choose.  Strong encryption appears to be the only way to protect PHI
on the Internet.
 
If you would consider putting the information on a post card, perhaps it
might be far enough away from PHI to consider mentioning it in an e-mail.
E-mail can be accessed by many more people than typical a post card will be
exposed to.
 
As to your third question, there are four (at least) WEDI listserves that
cover various portions of the topics you mentioned:
   Privacy, Security, Transactions, and Code Sets.
Pick the ones that serve your needs the best.
 
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
 
Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital & Health Care Centers
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
 
"This electronic message may contain information that is confidential and/or
legally privileged. It is intended only for the use of the individual(s) and
entity(s)  named as recipients in the message. If you are not an intended
recipient of the message, please notify the sender immediately,  delete the
material from any computer, do not deliver, distribute, or copy this
message, and do not disclose its contents or take action in reliance on the
information it contains. Thank you."
 

 

----- Original Message ----- 
From: Bentz-Miller,  <mailto:[EMAIL PROTECTED]> Judith 
To: WEDI SNIP Privacy Workgroup  <mailto:[EMAIL PROTECTED]> List 
Sent: Monday, March 24, 2003 02:10 PM
Subject: RE: New to this list, have two questions.

This was part of our privacy audit due to the following reg:

 164.530 Administrative requirements.

(c)        (1) Standard: safeguards. A covered entity must have in place
appropriate administrative, technical, and physical safeguards to protect
the privacy of protected health information.

 (2) Implementation specification: safeguards. 

(I)                 A covered entity must reasonably safeguard protected
health information from any intentional or unintentional use or disclosure
that is in violation of the standards, implementation specifications or
other requirements of this subpart.  

We knew this was an issue, so we took the "no email to patients" approach
also.  In our opinion, It is just too big of a risk.   

Judith Bentz-Miller 
Privacy Officer 
Arnett Clinic 
765-448-8843 

 

 -----Original Message-----
From: Gregory Park [mailto:[EMAIL PROTECTED]
Sent: Monday, March 24, 2003 3:01 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: New to this list, have two questions.



One follow-up question/remark/plead for public opinion to your response
Deborah.
 
"...no PHI will be sent via email..."  Is that now or when?  Are you
considering yourself at risk now because of the ruling?  Just curious as I
have heard others in the field drop the "PHI Email" gate immediately as soon
as they understood the Security rules.  Wouldn't you continue as usual and
work towards a reasonable solution effective before 2005?
 

Greg Park
Product Manager
DB Technology Inc.
Office:          800-760-4096 x117
Cell:             484-919-0392
PA Office:     610-397-0288 

www.dbtech.com 

-----Original Message-----
From: Deborah Campbell [mailto:[EMAIL PROTECTED]
Sent: Monday, March 24, 2003 9:39 AM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: New to this list, have two questions.



Here's my opinion. I'd be interested if anyone has other opinions. 
1) An email is unprotected as soon as it is sent over the internet. Almost
anyone can intercept it. So you need to determine your risk and what you
want to do to eliminate it. We have determined that no PHI will be sent via
email until we have an encryption solution.

2) It depends what the Case Manager is doing. If they are working "on behalf
of 
 the insurance carrier, then they are either an employee of the carrier or a
BA of the carrier. If they are doing Quality Assurance on behalf of the
carrier, you are permitted to release PHI to them without the need of any
contract with them (the carrier would have the contract). Check 
164.506(c)(4) of the August revisions of the Privacy Rule.

Deborah 
Deborah Campbell 
Compliance Coordinator 

Dominion Dental Services, Inc. 
115 South Union Street, Suite 300 
Alexandria, Virginia 22314 

Phn: (703) 518-5000 ext. 3035 
Fax: (703) 518-8849 
Toll Free:  888-518-5338 
Email: [EMAIL PROTECTED] 

******************************************* 
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee.  Access to this email by anyone
else is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it is prohibited
and may be unlawful.

********************************************************************* 



-----Original Message----- 
From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] 
Sent: Monday, March 24, 2003 9:25 AM 
To: WEDI SNIP Privacy Workgroup List 
Subject: New to this list, have two questions. 


Hello List, 

I am new to this list, so please be patient with me, if I ask any questions 
that have been addressed repeatedly in the past.  Anyway, I am the HIPAA 
Privacy Officer for a Physician's Group Practice and have just recently 
finished our first round of "Privacy Training and Education" for the group.

Two questions came up that I could not answer specifically: 

       1)   Is there specific direction as to what we can and can not
discuss 
during 
             e-mails between the clinic and patient; and 

       2)   Do we need a contract between Nurse Case Manager's that come in 
to our 
             office to discuss treatment plans with our doctors (that are 
contracted 
             by the Insurance Carrier) and our Physician's Group to satisfy 
"Business 
             Associate Policy" portion of our HIPAA Privacy Rule policies? 

I appreciate any information available.  Also, please let me know if there 
are other 
"List-Serves" that are more specific to "Healthcare Privacy, Security & 
Electronic Transactions." 

Thank You, 
Daryl Ewing, CPC 
RPK Anesthesia, P.A.              

--- 
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/ <http://snip.wedi.org/tracking/> .   These
listservs should not be used for commercial marketing purposes or discussion
of specific vendor products and services.  They also are not intended to be
used as a forum for personal disagreements or unprofessional communication
at any time.

You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED] 
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org <http://subscribe.wedi.org>  or send a blank email
to [EMAIL PROTECTED]

If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org <http://subscribe.wedi.org> 

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services. They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org 

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services. They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org 

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services. They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org 

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services. They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org 




--- PRESBYTERIAN HEALTHCARE SERVICES DISCLAIMER ---

This message originates from Presbyterian Healthcare Services or one of its
affiliated organizations. It contains information, which may be confidential
or privileged, and is intended only for the individual or entity named
above. It is prohibited for anyone else to disclose, copy, distribute or use
the contents of this message. All personal messages express views solely of
the sender, which are not to be attributed to Presbyterian Healthcare
Services or any of its affiliated organizations, and may not be distributed
without this disclaimer. If you received this message in error, please
notify us immediately at [EMAIL PROTECTED] 

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services.  They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

Reply via email to