GUIDANCE October 31, 2008



Similar documents
SECURE User Guide

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

Secure Management Guide. June 2008

PHI- Protected Health Information

Additional Information

Bank of Hawaii Protecting Confidential . What's in this User Guide

Secure Frequently Asked Questions

Executive Vice President of Finance and

COLUMBIA UNIVERSITY USAGE POLICY

This document provides a brief, end-user overview of the Cisco Registered Envelop Service which has been implemented by Sterne Agee.

STATEMENT OF PURPOSE:

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Background Information

How To Access A Secure From The State Of Iceland

Bank of Hawaii Protecting Confidential

Technology Standard. Electronic Communications Standard PURPOSE SCOPE APPLICABILITY

CONFIGURATION AND SETUP USER GUIDE AND REFERENCE MANUAL

Matrix Technical Support Mailer - 72 Procedure for Image Upload through Server in SATATYA DVR,NVR & HVR

POLICIES & PROCEDURES

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA SECURITY AWARENESS

Regions Secure Webmail. Instructions

Training sessions on the various communication methods will be made available at least once yearly. Guidelines

Secur User Guide

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

PCI Data Security. Information Services & Cash Management. Contents

E-Book Text Messaging & HIPAA Compliance

Glenmeadow, Inc. Terms and Conditions of Use Legal Notices/ Privacy Policy

Secure transmission of Protected Health Information (PHI)

How To Use The Gtokus Secure Mail System

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL

Secure Mail Registration and Viewing Procedures

Department of Alcohol & Drug Programs. Information Management Services Division (IMSD) ENCRYPTION INSTRUCTIONS

UC Irvine Health Secure Mail Message Center

GETTING STARTED SECURE FILE TRANSFER PROCEDURES A. Secure File Transfer Protocol (SFTP) Procedures

Policies and Procedures for Electronic Protected Health Information (ephi) and Personally Identifiable Information (PII)

TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE 2.0 PURPOSE 3.0 SCOPE 4.

Secure Information for Sending and Receiving for both DIDD Staff and Providers or Other Outside entities.

SendSafe Secure

Secure Client User Guide Receiving Secure from Mercantile Bank

IRB, HIPAA, and Clinical Research

CISCO SECURE MAIL. External User Guide. 1/15/15 Samson V.

How to sync Office 365 with Gmail

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

8.03 Health Insurance Portability and Accountability Act (HIPAA)

Secure Client Guide

APPENDIX 1: Frequently Asked Questions

File: IJNDC-1 WEBSITE PRIVACY POLICY

Acceptable Use of ICT Policy For Staff

Information Systems Security Policy

MISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY

standards, protocol and guidance

Secur User Guide

PINAL COUNTY POLICY AND PROCEDURE 2.50 ELECTRONIC MAIL AND SCHEDULING SYSTEM

DocuShare Agent User Guide

UNIVERSITY OF MASSACHUSETTS RECORD MANAGEMENT, RETENTION AND DISPOSITION POLICY

HIPAA Security Education. Updated May 2016

STATE OF WYOMING Electronic Mail Policy

Secure User Guide

Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure User Guide. Version 1.0.

FTA Computer Security Workshop. Secure

PATIENT REGISTRATION FORM

Authorized. User Agreement

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

End-User Reference Guide

End-User Reference Guide

ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information

Table of Contents. Acknowledgement

ILHIE Direct Secure Messaging Solution

End-User Reference Guide

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Secure file transmission of PHI, RHI and sensitive information

SENDING HIPAA COMPLIANT S 101

University of Tennessee's Identity Theft Prevention Program

University of Cincinnati Limited HIPAA Glossary

Table of Contents. Chapter No. 1. Introduction Objective Use Compliance Definitions Roles and Responsibilities 2

GME Policy #: PURPOSE

HIPAA And Public Health. March 2006 Delaware s Division of Public Health 1

Federal Trade Commission Privacy Impact Assessment for:

University Healthcare Physicians Compliance and Privacy Policy

ITS Policy Library Use of . Information Technologies & Services

Memorandum. 1. Introduction

When HHS Calls, Will Your Plan Be HIPAA Compliant?

MSI Secure Mail Tutorial. Table of Contents

Ferris State University

Client Security Risk Assessment Questionnaire

Privacy for Beginners: What Every Healthcare Worker Needs to Know About HIPAA and Privacy

Evolution of HB 300. HIPAA passed in 1996 Originally, HIPAA only directly impacted certain covered entities :

DETAILED NOTICE OF PRIVACY AND SECURITY PRACTICES OF THE Trustees of the Stevens Institute of Technology Health & Welfare Plan

Sanford Health Plan. Electronic Remittance Advice 835 Transaction Companion Guide Trading Partner Information

Basic E- mail Skills. Google s Gmail.

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

My Docs Online HIPAA Compliance

policy and practice

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

HIPAA Security Training Manual

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

Transcription:

The University of Chicago Medical Center (UCMC) supports the timely e-mail communication of protected health information (PHI) to promote patient health and safety and efficient customer service while balancing the need for patient privacy. As such, e-mail communication involving PHI is allowed only under specific circumstances, and shall occur according to UCMC guidelines. At this time, UCMC does not have an organizational-wide secure e-mail messaging system for e-mail communication sent outside UCMC. E-mail sent via the Internet or other unsecure means can be intercepted and read by individuals other than the intended recipient. This poses a risk to our patients and UCMC. UCMC and BSD departments may contact the Chicago Biomedicine Information Services (CBIS) Department at 2-3456 for information on establishing a secure method for transmitting sensitive information via email. Such approved methods include Virtual Private Network (VPN), Secure File Transfer Protocol (sftp), and the WebShare Service (See link #1 on page 5) available from the University of Chicago Networking Services & Information Technologies (NSIT). NOTE: Guidelines for communicating with patients via e-mail exist as well (See link #2 on page 5). GENERAL GUIDELINES FOR SENDING PHI IN E-MAIL # 1. What e-mail account can I use? 2. To whom can I send e- mail messages that contain PHI? 3. Can I e-mail UCMC patients? 4. Can I e-mail PHI to individuals or entities outside the UCMC and BSD e-mail systems? Only use your UCHospitals, BSD, or departmental e-mail address. Do not send PHI to or from your Hotmail, Yahoo or other personal e-mail account. Only send e-mail to individuals/entities directly involved with the specific content of the e-mail. This includes: Other faculty and staff at the Medical Center (only to e-mail accounts noted in question #1 above). External entities (e.g. collection agencies, insurance companies) ONLY when using an UCMC approved secure e-mail solution. Non-UCMC physicians involved in the care of the patient ONLY when using an UCMC approved secure e-mail solution. UCMC patients according to specific instructions (See link #2 on page 5). Yes, but you must follow specific guidelines. View the E-mail Communications: Between UCMC Providers and Patients guidelines (See link #2 on page 5). Yes, but only under specific conditions. Except for communicating with UCMC patients after the specific guidelines are followed, secure methods (e.g. sftp, VPN, WebShare See link #1 on page 5) must be used. Contact the CBIS Department for assistance. http://hipaa.bsd.uchicago.edu Page 1

# 5. What can I put in the subject line? 6. What can I include in the text (body of the e-mail)? 7. Do I need a special disclaimer in my signature? Do not use patient-specific information such as the patient s name, initials, or medical record number in the subject line of the e-mail. This applies to sending e-mail internally and externally. However, patient initials or patient encounter numbers can be used for billing questions/matters when sending e-mail within the UCMC/BSD e-mail system. Limit e-mail containing PHI to the minimum necessary information to meet the intended purpose and direct only to individuals with a need-toknow. Include the UCMC approved disclaimer on all e-mail messages. For instructions on adding this information to your e-mail messages automatically, please contact the CBIS Department or your Information Services Help Desk. This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender, delete the e-mail, and shred all hard copies of the transmittal. Thank you. An additional disclaimer is recommended when sending e-mail to UCMC patients see separate guideline document (See link #2 on page 5). 8. What should I check before sending the e-mail message? 9. Who should I contact if I need to use a secure solution to send PHI? 10. How do I send an e- mail with a secure file attachment containing PHI if the recipient doesn t have the means to receive a secure file? Verify that you have attached the correct document containing PHI (e.g. letter, clinic note, spreadsheet, report). Check that all address fields (e.g. to, cc, and bcc ) reflect the correct individuals who will receive the message. Contact the CBIS Department at 2-3456 for assistance. You should not send the file via unsecure email. You should: a) Burn the file on a CD, password protect the files, mail the CD, and then call the recipient and provide the password (do not e- mail the password); b) Fax materials per the faxing guidelines (See link #3 on page 5); or c) Use the WebShare service available through NSIT. http://hipaa.bsd.uchicago.edu Page 2

The following are situation based questions and answers to help you apply the guidelines. E-Mail Communications Within UCMC/BSD If I am a UCMC employee can I send an e-mail containing PHI to a BSD employee? Yes, as long as the e-mail originates from the UCMC e-mail server and is transmitted to the BSD employee s BSD e-mail address. Only provide the minimum amount of information necessary to fulfill the purpose of the e-mail. If the e-mail communication continues back and forth for a few e-mails, it is best to phone the individual to discuss the details. The answer is the same if a BSD employee wants to send an e-mail containing PHI to a UCMC employee. Can I put the patient s name in the subject line of the e-mail? Can I send PHI to UCMC Legal Affairs or Patient Safety? What should I do if I receive an e-mail containing PHI in error? In order to maintain patient confidentiality, you should not put the patient s name in the subject line of the e-mail. As an alternative, you can put the words patient specific information. Yes, individuals can send PHI as long as the general guidelines are followed. Send a reply e-mail to the sender noting that you received the e-mail in error and that the sender should check that he/she has the correct e-mail address for the individual who should have received the message. Before replying to the sender, strip the content of the e-mail to avoid any further errors. Notify the HIPAA Program Office at 4-9716 of the error for appropriate follow up. http://hipaa.bsd.uchicago.edu Page 3

E-Mail Communications With External Entities (e.g. Vendors, Insurance Companies) I need to send an Excel Spreadsheet containing PHI to a collection agency, but I don t have encryption. What should I do? Can I respond via e-mail to a health plan s e-mail requesting dates of service and medical treatment information on specific UCMC patients? You can: 1. Use the WebShare Service (See link #1 on page 5) available through NSIT; or 2. Burn the spreadsheet to a CD, password protect the file, mail the CD, and then call the recipient and provide the password to the file; or. 3. Fax the spreadsheet according to the UCMC faxing guidelines (See link #3 on page 5). No. Even though the health plan initiated the e-mail, you should not respond using unsecure e-mail. Contact the health plan via phone to communicate the information. E-Mail Communications Between UCMC Provider and Non-UCMC Providers I need to send an Excel Spreadsheet file containing research data containing PHI to a collaborating researcher at Johns Hopkins University, but I don t have encryption. What should I do? Can I respond via e-mail to a patient s primary care physician s (PCP) unsecure e-mail requesting my opinion after I saw the patient in clinic on a referral basis? Do I need to use a secure e-mail messaging solution to e-mail a general narrative describing a patient and a photographic image to a Non- UCMC physician for his case study presentation at a national conference attended by physicians and researchers? You can: 1. Use the WebShare (See link #1 on page 5) service available through NSIT; or 2. Burn the spreadsheet to a CD, password protect the file, mail the CD, and then call the recipient and provide the password; or 3. Fax the spreadsheet according to the UCMC faxing guidelines (See link #3 on page 5). No. Even though the PCP initiated the e-mail, you should not respond using unsecure e-mail. Contact the PCP by phone to communicate the information and follow up the conversation with a letter/note. No. As long as the narrative doesn t contain patient specific information or the case is not so unique that a reasonable person could identify the patient AND any identifiable information on the photograph (e.g. patient name, medical record number) is removed and physical features (e.g. eyes) are blacken out or distorted. However, if PHI is being used, you should transmit the information using a secure messaging solution (e.g. encryption) only after a written patient authorization is obtained. http://hipaa.bsd.uchicago.edu Page 4

Links Referenced in this Document 1. NSIT s Webshare Services Summary Document: http://hipaa.bsd.uchicago.edu/nsit_webshare_services_summary20080215_final.pdf 2. E-mail Communications Guidelines: Between UCMC Providers and Patients: http://hipaa.bsd.uchicago.edu/email_and_phi_guidelines_provider_patient_grid.pdf 3. Faxing Patient Information Guidelines http://hipaa.bsd.uchicago.edu/quick_ref_guide_5.html http://hipaa.bsd.uchicago.edu Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information