JUNE
2003
Volume 27 •
No. 6
Policy
on fax, e-mail protects privacy
The recent implementation of the Health Insurance Portability and Accountability Act and the heightened concern about safeguarding patient information have prompted Stanford and other health-care organizations to examine how faxes and e-mails are used. Based on such an evaluation, Stanford Hospital & Clinics and Lucile Packard Children's Hospital have established policies to ensure that the use of faxes and e-mail does not violate the confidentiality of patients' protected health information.
Andrew Newman, chair of SHC's Health Information Management Systems committee, noted that the hospital's goal is to achieve a workable balance between protecting patients' health information and allowing health-care organizations and patients to continue using technologies that facilitate the exchange of information.
"It's important that we maintain the privacy of patients' information without making the use of these technologies so cumbersome that people won't want to use them," Newman said. He noted that "e-mail is clearly going to play a much larger role in physicians' practice in the future, as patients increasingly want that access."
The policies on faxing and e-mail will likely evolve over time, Newman explained, as the hospital evaluates the implementation of technology infrastructure - such as secure servers - that could further facilitate the protection of patient information.
Guidelines
for e-mail:
When using e-mail to communicate with patients, remember these general principles:
Physician-patient
e-mail must be done with the patient's consent.
Expectations,
risks and limitations associated with e-mail use must be clearly communicated
to the patient.
All
health-related e-mail must be sent to Health Information Management Services
for inclusion in the patient's record. Procedures for communicating with
patients by e-mail:
Physicians
may offer e-mail communication to any patient at least 18 years old or
the parent or guardian of a minor. Physicians may e-mail minors in situations
where the minor can consent to the treatment under discussion (e.g., pregnancy
or sexually transmitted diseases).
The
provider and patient should ideally communicate through an IT-approved
secure e-mail server using encryption technology, but many commercial
and hospital e-mail systems do not offer this level of protection. For
information on establishing an account on a secure server, contact Scott
Blanchette, SHC chief security officer, at (650) 724-9207 or sblanchette@stanfordmed.org.
If
a secure e-mail server is not used, the physician must first obtain the
patient's consent to communicate by e-mail. This is required even if the
patient initiated the correspondence with an unsolicited e-mail to the
physician.
To
obtain patient consent for e-mail correspondence, e-mail or give the patient
a copy of SHC's e-mail consent form, which can be accessed at http://intranet-medcenter.stanford.edu/shc/hipaa/HIPAAForms.html.
Have the patient sign and return the form, or the patient may e-mail it
back as an indication of consent.
E-mail
should not be used for sensitive or urgent matters. Topics appropriate
for e-mail include appointment scheduling, routine follow-up inquiries
and questions about prescriptions.
Set
realistic expectations with patients regarding the amount of turnaround
time to expect for e-mail. Encourage patients to follow up by phone if
the expected e-mail turnaround time is exceeded.
If
you will be on vacation or otherwise unable to use e-mail for a period
of time, indicate this in an automatic reply.
Under
state law, e-mail cannot be used to communicate lab results unless the
correspondence is through a secure server. And, e-mail can never be used
to convey the results of certain tests - namely, tests related to HIV
status, sexually transmitted diseases, presence of a malignancy and mental
health or drug abuse issues.
Patient-identifiable
information should not be forwarded to a non-clinician third party without
the patient's prior consent.
In
the subject heading, do not use the patient's name, medical record number
or other specifics. Use general headings such as "prescription" or "appointment."
The
patient's name and medical record number should be included in the body
text to facilitate inclusion into medical records.
Do
not send blind copies or group e-mails where recipients are visible to
each other.
Always
copy e-mail correspondence to medical records, at shc-medrec@stanfordmed.org
(for adult patients) or lpch-medrec@stanford.org
(for pediatric patients) to ensure inclusion in the patient's record.
Or, print a copy and send it to medical records.
Guidelines
for faxing:
Faxing
protected health information should be limited to circumstances where
the information is needed immediately and more secure transmission methods
are not feasible.
PHI
sent by fax should be limited to the minimum necessary to accomplish the
intended task.
Under
California law, faxing cannot be used to communicate sensitive information
to a patient, such as information about alcohol/drug abuse or mental health
issues, HIV status, sexually transmitted diseases or presence of malignancy.
When
PHI is faxed, safeguards must be taken to make sure only the intended
recipient receives the information.
Stanford
Hospital & Clinics' recently developed fax cover sheet (available at http://intranet-medcenter.stanford.edu/shc/hipaa/HIPAAForms.html)
must be used for all external faxes and for those sent internally, unless
the internal fax is sent to a frequently used, pre-programmed number.
The
fax cover sheet must include:
Sender's name and facility name, telephone number and fax
number.
Date and time of transmission.
Number of pages being faxed.
Recipient's name, facility,
address, telephone and fax number.
Summary of the content being
faxed (do not include PHI).
Name and number to call to verify
receipt, report a transmittal problem or to inform of a misdirected fax.
Instructions for handling misdirected
faxes (the recipient should mail back the information or shred the document).
Frequently
used fax numbers should be pre-programmed to ensure the correct destination.
When
faxing PHI to a non-pre-programmed number, verify receipt of the fax by
1) asking the recipient to fax back the cover sheet, or 2) call the recipient
to confirm that the fax was received. The confirmation sheet generated
by the fax machine is not sufficient as verification.
Make
sure the header generated by your fax reflects the name and fax number
of the department of origin. If incorrect, consult the equipment manual
or call the HELP desk for assistance.
Questions about the faxing and e-mail policies can be directed to D'Arcy Myjer, SHC's privacy officer at D'arcy.Myjer@medcenter.stanford.edu or 725-6291.
Policy on fax, e-mail protects privacy
New feature of Skolar provides information on antibiotic effectiveness
SHC's policy on appropriate use of restraints: what physicians need to know
Whom can you talk to? Policy provides guidance to communcation
Giants event begun by Stanford physician raises fund for organ donation
Stanford Medical Group Physician led successful push for open access
Medical staff-funded awards go to 11 nurses at Nurse Week ceremony
Locating ED is all in a drill's work
