HIPAA: Round Two
The Security Rule associated with the Health Insurance Portability and Accountability Act (HIPAA) is effective April 21. The HIPAA Privacy Rule was effective two years ago and applied to all forms of protected health information (PHI). The Security and Privacy rules are closely related, but the Security Rule applies to PHI maintained or transmitted in electronic forms only.
Leading up to April 21, all staff are required to complete the proper training. On-line self-administered training can be found on www.bwhpikenotes.org Click on “compliance corner” on the left of the homepage to find HIPAA on the left navigation. Select “HIPAA” to get to HIPAA Security Training Slides. The HIPAA page of the intranet site also contains helpful background information on what is considered electronic protected health information (ePHI).
Identifiable health information may be shared among caregivers for the purposes of treatment, payment or health care operations. Health care operations include QA/QI, utilization review, disease management, credentialing, and auditing. Any other use of PHI or disclosure of information (i.e., research, marketing, etc.) requires the written authorization and consent of the patient.
Emails containing PHI should be limited to instances of absolute necessity. Determine the following:
• Has the patient authorized you to communicate with them or a family member via email?
• Has all extraneous information been removed from the content of the message?
• Has the PHS disclaimer been linked to your outgoing messages?
• Have you password protected your files?
An email is NOT protected once it goes beyond the BWH firewall. Include the PHS disclaimer on your outgoing messages. For information on email use, refer to the Clinical Email Guidelines in the BWH Administrative Policy Manual. Also, clinician-to-clinician email to communicate patient identifiable information should be agreed upon in advance by both parties, and be in compliance with clinical email guidelines.