Emailing Protected Health Information (PHI)

Subject:                      Emailing Protected Health Information (PHI)
Effective Date:         December 2015

Purpose

To guide faculty, staff, and students on the use of electronic communications with external third parties such as dental/medical clinics, hospitals, and individuals.

General Policy

The University of Washington School of Dentistry (UWSOD or School) prohibits the e-mailing of protected health information (PHI) to external recipients unless the exchange is encrypted or meets qualifying conditions, detailed below.

Background

Email is a convenient, effective, and highly popular means of communication between faculty, staff and students at the UW School of Dentistry and external third party organizations and individuals.

Privacy of patient records is protected by state confidentiality law and by HIPAA. The physical and electronic records belong to the School. The Associate Dean of Clinical Services or designee is the official record custodian for the School and Patient Services assigns patients to the appropriate care provider during care and consultation activities.

The electronic communication guidelines outlined in this policy must be followed by anyone at the School that is communicating PHI with a third party or private individual. Failure to follow the policy may result in disciplinary or corrective action.

Implementation

I. Definitions

A. Protected Health Information: A subset of individually identifiable health information maintained in health records and/or other clinical documentation in either paper-based or electronic format.

B. Third party organization whose email domain is on UW Medicine’s Approved List. UW Medicine maintains a list of approved email domains that they have verified will support mandatory email encryption with uw.edu addresses. See Appendix A for a list of approved email domains.

C. Third party organization whose email domain is not on UW Medicine’s Approved List. Any third party whose email domain is not on the UW Medicine list of approved email domains. Sharing PHI with such entities may result in a loss of patient privacy.

D. Private Individuals. Any member of the lay or professional public, i.e. patients or their representatives.

II. Communication Technology Components

A. UW SoD Email Service. The email service that is currently in production at the UW School of Dentistry.

B. Secure Messaging. An online messaging service that enables secure transmission of information between a UW School of Dentistry user and a third party.

C. Electronic signature capture. A technology integrated into a workflow to capture electronic signatures from an individual or organization.

III. Usage Guidelines

This policy clarifies the following section of the SoD’s Compliance Handbook, page 11, under the header “Email, which reads: “Emailing PHI: Emailing confidential information, including protected health information (PHI) requires encryption. Confidential information, including PHI may not be sent between UW School of Dentistry workforce members and non-UW School of Dentistry workforce members without special encryption safeguards in place. Please contact IT & Computer Support before engaging in this type of communication.” It is no longer necessary to contact IT & Computer Support provided the user follows the appropriate standard listed below.

A. Communicating with third parties such as private practices, insurers, vendors, or other dental care professionals.

# Statement Rationale
1. Email must not be used to communicate any patient information, text, or images, with third party organizations whose domain is not on the UW Medicine approved list. When sent to most third parties, regular email contents and the attachments are sent in clear text, unencrypted.
2. Email can be used to communicate securely with any of the approved third party email domains documented by UW Medicine IT Services in their Approved Email Domains list (Appendix A) UW Medicine has confirmed that these documented email domains are  safe for sending PHI using email.
3. Patient information/imaging upload portals (e.g. eMix) may be put in place by third party providers for the purpose of sharing patient information. These systems may be used by a SoD department with the approval of a SoD Department Chair, Director of Compliance and Director of IT. When approved, these systems are effective and highly viable alternatives to standard email.
4. For any mail domains not documented as safe by UW Medicine IT Services, email communication with third parties must take place in a HIPAA compliant manner.  The UW School of Dentistry will provide a secure messaging solution that can be licensed and installed on a per user basis and used to establish secure messaging channels with third party providers. Secure messaging solutions provided by the School of Dentistry must be used when sending PHI to third parties whose email domain is not on UW Med’s Approved List
5. Images containing Patient Information that have been exported from UW SoD PACs systems (e.g. MiPACS, Dolphin, etc.) to a PC or other device for the purposes of emailing or uploading to a third party provider should be deleted as soon as possible after communication has happened. Storing medical images on a PC or other device increases risk.
6. SoD users should not forward their uw.edu email to any third party service (such as Gmail or Hotmail, unless the domain is on the UW Medicine list of approved domains. Consumer email solutions do not adequately protect PHI.

 

B. Communicating with Private Individuals such as patients

# Statement Rationale
1. Secure e-mail communication with individuals, either through an encrypted application or between secure domains (as mentioned above) is permitted. Secure messaging is the safest form of electronic communication.  Using your professional judgment, take reasonable steps to confirm the identity of the individual, and keep the amount of information you share to the minimum necessary.  Electronically copy and paste exchanges into the patient’s axiUm chart in Treatment Notes.
2. In cases where you or the individual initiate e-mail contact to discuss details related to their care, include the following language to warn the patient that e-mail over the internet is not secure, then note this in the patient’s axiUm record. Include the following language under your signature in any e-mail you send to patients:

 

“The above email may contain patient identifiable or confidential information. Because email is not secure, please be aware of associated risks of email transmission. If you are a patient, communicating to a UW School of Dentistry provider via email implies your agreement to email communication.

 

The information is intended for the individual named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender by reply email, and then destroy all copies of the message and any attachments. See our Notice of Privacy Practices at https://dental.washington.edu/wp-content/media/compliance/SoDPrivacyPractices.pdf.”

 

Federal guidelines for using email with patients are outlined in Appendix B

 

3. Clear statements regarding the risks of email and the option to capture electronic or paper-based consent must be readily available on the SoD website and at each patient clinic. Consistency of experience

Appendices: Appendix A, UW Medicine Approved Email Domains
Appendix B, HIPAA guidelines re emailing Patients

Dean of UW SoD:
December 21, 2015
Joel Berg, Dean of the UW School of Dentistry Date

APPENDIX A
UW Medicine Approved Email Domains

APPENDIX B
HIPAA Guidelines re emailing patients