E-mail use has become a very common form of communication in the health care industry and continues to be used more and more frequently. Many people do not realize that it is a very powerful communication tool and is a two way street. People initiate and receive E-mail on a regular basis, whether at home or at work. Because of this more and more doctors now permit patients to ask for an appointment or a medication refill by E-mail.
With more common E-mail use in today's world, more problems have been diagnosed related to this increased E-mail use:
- E-mail use is similar to having a home phone - more than one person may open the E-mail on a shared E-mail account (spouse, child, roommate, officemate);
- E-mail may be left open on someone's computer when they walk away and do not shut down their system. Anyone walking by may read the E-mail;
- E-mail transports computer viruses;
- E-mail can be easily broadcast to a large number of unintended recipients by mistake;
- Much like paper mail delivered to the United States Postal Service once an E-mail is sent it cannot be called back or stopped from reaching its destination;
- When sent over the Internet E-mail travels through various networks, electronic locations and many interconnected electronic pathways before it is delivered to its intended recipient, such as:
- Local loop;
- Cable modem;
- Broadband technologies;
- Metropolitan area networks; and
- Wireless networks.
While there are a number of problems and concerns with E-mail you must remember that there is a difference between business E-mail and clinical E-mail. Also, some E-mail is computer generated and some is initiated by a person. Many of the E-mails you receive if you purchase from a catalog are computer generated. With the E-mail and electronic medical record technology available today in health care, you may find an E-mail that is computer generated telling you that it is time to renew a prescription.
Many people don't realize that this type information is covered under HIPAA. Because it is covered under HIPAA, the proper precautions need to be made to ensure this information stays secure and confidential.
One covered entity had a computer infected by a virus. The virus initiated the distribution of patient information, including a patient's diagnosis, to E-mail addresses it found in the computer's address book. This problem is both a HIPAA security issue, as the patient information was mis-sent electronically, and a HIPAA privacy problem, as it disclosed patient information improperly.
One of the ways to ensure security and confidentiality is by encrypting the information contained in all E-mails. Keep in mind that the HIPAA security rule does not require encryption. While the health care industry had hoped that the rule would provide some direction on encryption, there is nothing in the rule as to technology, processes nor a level of encryption in the rule.
The HIPAA security rule does define encryption as "the use of algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key."
However, the only technical solution that we have to protect the confidential information that we send over the Internet in an E-mail is by encryption. If you put a wrong name in the E-mail TO: line, or if a hacker manages to pick your E-mail out of the electronic stream, you want the confidential information connected to that E-mail to be protected!
HIPAA has increased awareness regarding the problems of sending confidential information across the Internet. This need to protect confidential medical information has encouraged the technology industry to provide E-mail encryption protection solutions for networks and on desktop computer systems. Today secure E-mail encryption technology is available through a standard web browser on many desktop computers.
For email encryption to be a useful tool it must be easy for both the sender and the receiver to use, and it must have a useful audit capability.
If you are sending confidential medical information in an E-mail consider using any and all encryption help your office provides. If you do not know what encryption options are available, ask your technology staff what E-mail encryption help you have on your network or desktop computer and how to use it. Encourage your office to write a one page E-mail encryption 'To Do' sheet for everyone to keep for an easy refresher.
Keep in mind that if your office has E-mail policies and procedures in place you will need a copy for your own use. The policy may simply state that confidential information may not be transmitted by E-mail unless the sender is using a secure e-mail system.
If you do not have a copy you should request one and ask that it be posted where all your coworkers will be able to find it when they need to.