Published in the December 2005 issue of Today’s Hospitalist
You know that information about your patients is protected under HIPAA, the Byzantine law designed to protect patient privacy, but do you know which of the following scenarios could land you in hot water?:
- You send an e-mail to a patient that contains details of his or her care.
- You e-mail a colleague the details of that patient.
- You receive an e-mail from that patient that contains details of his or her care.
The truth is that unless you’re using software that encrypts your e-mail, all three of the above situations could put you on the wrong side of the law. That’s because HIPAA requires physicians and hospitals to protect the contents of all e-mails that contain private patient information. That applies whether you’re on the sending or receiving end of the transaction.
Protected data: a long list
According to Russell Cucina, MD, MS, a hospitalist who is assistant clinical professor of medicine and medical informatics at the University of California, San Francisco, the HIPAA regulation states that covered entities, a term that applies to all health care providers and organizations, may need to use encryption technology whenever they electronically transmit protected health information.
Because HIPAA uses 18 categories to spell out exactly what constitutes protected health information, Dr. Cucina said that the law protects just about any information that would of interest to outside parties. That includes not only names and dates, he told hospitalists gathered at UCSF’s annual meeting for hospitalists in September, but references to a patient’s location that are more specific than state.
“If you write to a colleague and say, ‘Remember that lady from Red Bluff, Calif., we took care of,’ you may have just violated HIPAA,” Dr. Cucina explained. “And if you note that the patient was 81 years old, you may have also violated the law.” He noted that the law applies not only to e-mail sent over the Internet, but information transmitted electronically over local networks.
While HIPAA obviously requires you to protect patient information when you send e-mail, what happens when patients send you e-mail? Dr. Cucina said that the law clearly states that even if you receive an e-mail containing patient information “even if it is unsolicited “it is your job to protect the contents of the message.
“If a patient sends you an e-mail,” he explained, “it is your obligation to store it securely, and if you don’t, it is you who have violated HIPAA. The fact that the patient initiated the email does not exempt you from the requirement. The patient does not have the ability to let you off the hook. The patient has a federal right to privacy, and the patient cannot let you out of it.”
What happens if the message is intercepted on the way to you? “It’s the patient’s responsibility up to the point where the message hits your computer,” Dr. Cucina said. “Once it’s on your computer, however, you are the custodian of the message and it becomes your responsibility.”
So what should you do when you receive an e-mail from a patient that contains patient health information? Dr. Cucina said he takes some simple steps to dispose of the e-mail and to make sure that it doesn’t happen again:
“I write back to the patient and say, ‘It’s great to hear from you and I look forward to talking to you, but please don’t send me anymore e-mails.’ Then I delete the e-mail the person sent.”
Once he has deleted the e-mail from his machine, Dr. Cucina said, he has met his obligations under the law. “It’s my responsibility to have it securely stored,” he explained. “Once I delete it from my computer, it’s gone.”
How do patients react to being asked to refrain from sending e-mail? Dr. Cucina said that most people appreciate his concern about their privacy.
“They are pleased that you are being so respectful of their privacy that you wish to speak to them directly,” he explained. “Of course, that means you have to take the time to call them.”
Hospitalists rarely hear from patients via e-mail, but the above principles apply when a primary care physician asks you to send an e-mail providing patient information. Dr. Cucina said that if both of you are not using encryption technology, there’s no easy way to comply with the physician’s request and the HIPAA regulation.
While Dr. Cucina said that UCSF hospitalists typically page primary care physicians to discuss patients, not send e-mail, he offered some strategies to communicate via e-mail without risking breaking the law. If a primary care physician he’s working with has access to UCSF’s medical records system, for example, he might send a message stating simply that he admitted one of the physician’s patients the night before. The primary care physician can then log onto the UCSF system and easily figure out which patient was admitted.
If the primary care physician doesn’t have access to the UCSF system, Dr. Cucina said he might try another approach: “I’ll write, ‘The patient you and I have talked about every day for a week is being discharged today. You’ll see them next week.’ ”
If you want to try a more sophisticated approach, several commercial solutions can help you protect confidential e-mail.
One is offered by RelayHealth, a Web-based e-mail service that Dr. Cucina said is similar to commercial e-mail services like Hotmail or Yahoo, but with an important difference. All e-mail communications that go through Relay Health provide “industrial strength” security. “It’s as secure as the banking transactions you conduct on a secured Web site,” Dr. Cucina said.
You don’t have to purchase any hardware or software to use this type of system, but the physician you’re e-mailing does have to use the same system to receive a secure e-mail on her computer. If the other physician does not belong to Relay Health, the service alerts her that she has an e-mail waiting for her and gives her information to log into the system as a guest.
Dr. Cucina added that services like Relay Health offer another important feature: They let you forward e-mails about your patients to other physicians who also use the service.
“If you’re a Relay customer,” Dr. Cucina said, “you can say, ‘I’m off service now and my colleague, Dr. Smith, will take care of these patients.’ All of your Relay Health e-mails will then go to that colleague.”
RelayHealth is offered as a solution for groups, not individual physicians. Another service called ZixMail uses a similar approach to protect sensitive e-mail, but it is geared to individual users. (The service costs less than $25 a year.)
Like RelayHealth, ZixMail allows you to send e-mail to physicians outside of the system. That physician has to go to the ZixMail Web site to open the mail.
While RelayHealth and ZixMail can help you meet HIPAA’s privacy regulations, Dr. Cucina said that both systems have some drawbacks.
“The first couple of times you send a message to a primary care physician who isn’t using ZixMail,” he explained, “you’re going to get a call asking what you did and if the e-mail is a virus. People may be afraid to open the message because they think it’s spam.”
And while ZixMail is easier and less expensive to set up than RelayHealth because it is geared toward individual users, the system lacks some of the functionality of Relay Health. If you’re going off service, for example, ZixMail does not allow you to identify and send incoming e-mail to the physician who’s on service.
The bottom line, Dr. Cucina said, is that all of these systems work better when everyone in the group is using the same system. To really comply with HIPAA, he added, physicians need to focus on big-picture solutions.
“I would suggest that if you can’t use regular e-mail,” he said, “ask your medical group or hospital what they are doing and how they can support you in complying with HIPAA and keeping out of trouble, but still letting you use using e-mail to help manage patient data.”
Edward Doyle is Editor of Today’s Hospitalist