HIPAA Forms

RESEARCH INVOLVING PHI OF DECEASED INDIVIDUALS ATTESTATION FORM

 

Tips for HIPAA Compliant Emails

What information is covered by HIPAA?

Put simply, any information about an individual’s health care treatment or payment for treatment is protected by HIPAA, if the information includes any “patient identifiers” or other information for which there is a reasonable basis to identify the individual. Patient identifiers include not only patient name, but also email address, date of birth, MRN, any treatment or discharge date, photo or other ways to identify the patient. See a complete list of patient identifiers below.

Can I email a patient?

If a patient initiates the communication via email, you can respond to their requests via email unless they ask you to use another method. When emailing health information, use encrypted email (see instructions below) unless the patient asks you not to (and make sure you have documented their understanding and acknowledgment of the items below). Make sure to document all patient requests concerning email. The minimum necessary information should only be transmitted via email.

What should I do if the patient initiates the communication using another method (such as phone) but asks me to send certain information by email?

  • Document the patient’s request to use email and their understanding and acknowledgment of the risk of doing so in writing prior to emailing. These risks are: (1) emails can be intercepted, edited, forged, forwarded or otherwise used without permission, (2) emails can be accidentally misdirected (senders can accidentally send emails to the wrong address), (3) employers and online services may have a right to read and store emails sent through their systems, (4) emails can be used to send viruses, malware, or other harmful agents into computer systems, (5) the patient is responsible for the privacy and security of their communications, email accounts, passwords and devices, and (6) Tulane is not responsible for the security and confidentiality of any email communication once it leaves Tulane’s control.
  • Include only the requested information. For example, if a patient requests lab results, include only those results and not other PHI such as notes or diagnoses.
  • Use reasonable safeguards to ensure you are emailing the correct address. For example, the email address should be checked for accuracy before sending.
  • Use encrypted email (see instructions below)

What about emailing health information to people other than the patient?

In general, we may not share health information with people other than the patient unless the patient has signed an authorization instructing us to do so. An exception is when we are sharing for the purposes of Treatment, Payment or Operations (this is known as the TPO Exception). When this exception applies, make sure to use encrypted email (see instructions below) and to email only to the email address of the recipient that pertains to the reason for sharing the information for TPO (in other words, avoid using a personal email address such as gmail). Also include only what is necessary. For example, if you can identify patients by a MRN rather than by name and date of birth, this is preferable, and don’t include any information that is not needed by the recipient.

What about Social Security Numbers?

It is almost never appropriate to email Social Security Numbers. These should be removed from data prior to emailing.

Consider more secure ways to communicate!

Sometimes it is possible to communicate via secure messaging within EMR systems such as eCW or Epic. This is preferable to email. In addition, it is preferable to send Box links to documents containing PHI rather than including them as email attachments.

If you are sending links to files within Box or OneDrive it is best practice to name the recipients. This will protect the data in the event that someone else gets ahold of the file link. Sharing files with “everyone” or the “entire organization” is not secure and should only be done with public information.

How do I encrypt emails?

For emails to recipients outside the organization, include “SECURE:” in the subject line to trigger encryption. It is important that it is formatted just as shown, if there is no “:” it will not trigger encryption. The recipient will receive the message in a Microsoft Secure Email Portal which will require them to log in. If it is the first time they will be asked to set up a free account. 

Emails between Tulane.edu email addresses are automatically encrypted by default and delivered directly to the inbox. The above encryption method will not work for internal emails.

What if I didn’t follow the steps above?

Mistakes can happen—even with the best intentions. If you believed a file was encrypted but it  wasn’t, or if Protected Health Information (PHI) was inadvertently sent to the wrong recipient, it’s critical to act quickly. Notify the recipient immediately, and request that they delete the file without reading (including deletion from the Deleted Items box. In addition, email hipaa@tulane.edu immediately. In some cases, we may be able to block access before the information is viewed or misused.

Please note: certain incidents may require us to self-report as a breach. Regulatory guidelines strictly govern the timeline for reporting, so prompt reporting to hipaa@tulane.edu is essential to ensure compliance and mitigate potential impact.

 

HIPAA Identifiers

If any of the following identifiers relating to the individual or relatives, employers, or household members of the individual are included in health information, it is protected by HIPAA. If all of the following identifiers are removed, the information is no longer protected by HIPAA.

  1. Names (including parts of names, and initials)
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/ license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) addresses
  16. Biometric identifiers, including finger and voice prints
  17. Full-face photographs and any comparable images (including distinguishing tattoos)
  18. Any other unique identifying number, characteristic, or code

If you have questions about HIPAA, email the Privacy Office at HIPAA@tulane.edu