Family Law

Emails and HIPAA Violations: Small physician practices are not immune to OCR investigation.

Many providers transmit their patients’ Protected Health Information (“PHI”) in unsecured e-mails. Through audits, some providers have discovered that their employees routinely included patient PHI in both the subject line and body of e-mails sent internally and externally. In doing so, these providers could be exposed to HIPAA violations if employees send e-mails containing PHI to the wrong external address, if they erroneously send e-mails to the internal address of a person who should not have access to the information, or if the provider’s firewall is insufficient to guarantee protection of the PHI.

Providers would be well advised to instruct their employees never to use PHI in the subject line of e-mails, to limit PHI to the extent possible in the body of e-mails, and to insure that e-mails containing patient PHI are sent using an encrypted system, preferably one that is at least a 128-bit encryption system.

State regulators determined that a Redding hospital owned by Prime Healthcare Services Inc. violated patient confidentiality by sharing a woman's medical files with journalists and sending an email about her treatment to 785 hospital workers.

Here is an example. As you know, teaching hospitals are subject to regulations regarding resident work hours. The residents are reduced to being production-line shift workers. They have precious few hours that are not occupied by teaching conferences, rounds, meals, looking up lab results on archaic computers, typing notes, etc., to actually see patients. The combination of these time pressures and the odd schedules that result from the work-hour restrictions limit the resident’s ability to communicate face-to-face about their patients.

Bucking the trend, the residents (bless their idealism) still seem to think that patient care comes first. In this situation, communication is the problem and some residents have found readily available and effective solutions: Facebook, Twitter, and text messages.

You can imagine the reaction when the administrators discovered what was going on. A directive immediately went out to all service chiefs instructing them to chastise the residents and admonish them "not to do it again." What about the obvious need? What about the patients? Forget that stuff, the top priority is to avoid a HIPAA violation.

My first reaction was different. I saw in this example a new and important requirement that could be satisfied by a bit of technology and simultaneously reinforce the resident's comprehension of HIPAA. I started searching for ready-made solutions.

I found several. The first, the organization already has available: the Cisco Registered Envelope Service (CRES). This service allows businesses to send HIPAA-compliant encrypted messages by simply inserting "[SECURE]" at the beginning of an e-mail subject line. If the recipient is a member of the organization, reading the encrypted mail is transparent. If the recipient is external, they get a link to CRES, where they can read (and reply to) the message.

So why didn't the residents use this encrypted e-mail instead of resorting to Facebook? Answer: They are not given organizational e-mail accounts. There are over 1000 residents, rotators, and volunteer attendings and no doubt the management overhead is considered to be prohibitive. Frustrated, and with no approved method available, residents will do what needs to be done — "damn the torpedoes."

The second solution that I found is called Hushmail. It is similar to CRES, but it is free (or inexpensive). It's even easier to use with new or occasional recipients since it requires no registration on their part, it merely asks them a secret question. You can provide the answer, or a clue, in a separate message before sending the encrypted material.

Hushmail is slick and the provider is very responsive. You might find it useful at your medical practice, either on a regular basis or as a gentle on-ramp to exchanging e-mail with patients and colleagues — just remember to check the encrypted checkbox when you reply to a reply until they get that automated.

This simple example illustrates that complying with regulations has come to take precedence over the patient. Perhaps my emphasis on the patient is quaintly outdated. This may have been prescient in 1978 when wrote, in "The House of God":

Samuel Shem

"Sit down!" said Fats. "What are you talking about, chart rack?"

"Aren't we going on work rounds?" asked the BMS.

"We are, right here."

"But… but we're not going to see the patients?"

"In internal medicine, there is virtually no need to see patients. Almost all patients are better off unseen. See these fingers?"

We looked carefully at the Fat Man's stubby fingers.

"These fingers do not touch bodies unless they have to... I've seen enough [patients…], to last me the rest of my life."

If this is a more correct view, it's convenient because, as things are going, after complying with all the regulations there will be no time left in which to see or touch the patients anyway.

Got to go now… they tell me I've already kept the next patient waiting too long.