Security Q&A
EHR notes, encrypting email, and telehealth security
by Chris Apgar, CISSP
Q: In our pharmacy dispensing system, we can enter free-form notes for certain records such as a patient record, prescription records, and physician records. This field is used to enter notes that are customer service?focused and not treatment- or payment-related in nature. Would these notes be considered PHI, and would record retention requirements apply to these notes?
A: The notes entered into a patient record, prescription records, or physician records would be considered PHI. The customer service?focused notes entered into a patient’s medical record, prescription records, or physician records would not necessarily be considered part of the designated record set. However, the notes are related to what would fall under the umbrella of healthcare operations. The notes should be considered PHI and retained for a minimum of six years. It’s a good idea to pay attention to your state’s medical record retention laws because state law may view the notes as a part of the medical record and retention requirements are found in state law.
Q: Is it acceptable to send unencrypted email containing PHI provided it’s sent to only the intended recipient and is not accidentally sent to the wrong person? Some staff don’t feel it’s necessary to encrypt emails that are sent to only one individual because they feel it’s easier to check the single email address and less likely that they might accidentally include the wrong person on the email.
A: It is not acceptable to send unencrypted email containing PHI even if it’s only to an individual. HHS noted in the preamble to the HIPAA/CLIA bill that the encryption of email containing PHI is a reasonable safeguard and therefore, the only exception that HHS considers acceptable when it comes to the encryption of email is when the individual requests the email not be encrypted and the covered entity has explained to the individual the risks associated with transmitting PHI unencrypted. The email address may be right, but that doesn’t stop hackers from intercepting the email using, among other methods, a man-in-the-middle attack, which would represent a breach of unsecure PHI.
Q: Our clinic sends appointment reminders via text message to patients. Patients are given the option to specifically request this be done. They may do this by indicating a preference on the new patient paperwork, on the patient portal, or verbally requesting the change be made. The appointment reminders are not encrypted and include the date, time, and location of the appointment but not the patients’ name. I’m concerned that some patients may not notify us immediately if they change their phone number or someone else may see the messages.
A: As long as the patient signed off on it and the risks associated with sending PHI via text message were communicated to patients, sending appointment reminders via text message would not be considered a HIPAA violation. This is similar to sending unencrypted email to patients. There’s a better chance that someone other than the patient will hear the appointment reminder left on an answering machine than a text message sent to a phone number the patient is no longer using. In the end, if the patient signs up for texted appointment reminders, the patient accepts the risk if the wrong person reads the text message.
Editor’s note
Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at [email protected].