Download a PDF of the Current Issue 2015 Volume 12 Number 3 July- September

What’s in your Emails?

Elizabeth White, JD, CIPP
Chief Compliance and Privacy Officer Shands Healthcare
4-4-1 Over the last several years, Email has begun to change the health care industry by providing health care providers a convenient and cost effective method to facilitate communication with patients and other business associates. The industry’s reliance on email is consistent with the 1998 survey conducted by Ernst & Young, that found email is now the primary communication tool used in business.   In fact, the survey showed that only 15 % of the survey respondents reported favoring face‐to‐ face meetings to facilitate transactions.  So, it is un‐ surprising that patients and others associated with the health care industry wish to use email as the primary mode of communication. However, unlike many other industries, health care providers are subject to heightened standards related to use and disclosure of their patients’ in‐ formation; and, as a matter of practice, should exercise caution when drafting and transmitting in‐ formation related to their patients and their practices. This article provides a brief overview of the regulatory requirements associated with use and disclosure of patient information, electronic trans‐ mission of this information, and other risks associated with utilizing email as a communication tool. Also, this article provides suggestions that a health care provider may use to mitigate such risks. Requirements Related to the Use and Disclosure of Health Information: The Hippocratic Oath, state laws, licensing requirements, and Medicare Conditions of Participation have restricted a healthcare provider’s ability to communicate information related to the care of their patients for many years.  In short, these standards require that the health care provider keep the patient’s health information confidential and that the information may only be disclosed to third parties with the consent of the patient or if man‐ dated by law.  Due to minor variations in these standards, the Department of Health and Human Services (“DHHS”) developed national standards for the use and disclosure of Protected Health In‐ formation (“PHI”) when the DHHS  promulgated regulations  implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In addition to providing specific directives regarding the use and disclosure of patient information (the Privacy Rule), HIPAA’s Security Rule re‐ quires health care providers to implement technical security measures to guard against unauthorized access to electronic protected health information (“ePHI”) that is being transmitted over an electronic communications network.  HIPAA’s “addressable” implementation specifications state that when transmitting ePHI, a health care provider should implement security measures to en‐ sure that the ePHI maintains its integrity and is not improperly modified without detection until dis‐ posed of.   The rule states that, providers should implement mechanisms to encrypt ePHI information whenever deemed appropriate. When applying these standards, each health care provider is responsible for assessing the level of risk associated with the transmission of messages containing ePHI and for ensuring that the risks are minimized to an appropriate level. HIPAA provides both civil and criminal penal‐ ties for the violations of the Privacy and Security standards. Civil monetary penalties may range from $100 to $25,000.  Within the criminal context, in instances where the offense is committed with the intent to sell, transfer or use information for commercial advantage, personal gain or malicious harm can lead to fines of $250,000 or 10 years imprisonment. Other Risks Associated with Email Even when the use, disclosure, and transmission of confidential information are authorized and se‐ cured, there are numerous other risks associated with email that are often overlooked by health care providers.  After all, the most robust security mechanisms for transmission of ePHI do not protect against questionable judgment or carelessness. The paragraphs below itemize just a handful of the risks associated with the use of email. • Unintended documentation. Commentators have stated, “[I]n the litigation environment, it is often email that contains the most damning admissions. . . . [I]n email, people don’t take the care they would were they writing formal correspondence, and they tend to say things they don’t intend to say.”   For example, Lawrence Powell, an L.A. police officer involved in the 1991 Rodney King case sent a colleague an email message where he stated “Oops!  I haven’t beaten anyone so bad in a long time.” Clearly, Lawrence Powell didn’t intend to have his email serve as an admission in a courtroom. • Email never really dies.  Even if an email message has been deleted by the author, the message can usually be retrieved from a variety of locations including backup tapes, the network, local hard drives. Moreover, even if the email had been deleted from all locations where it may have been stored, due to the advanced nature of computer forensics, it can usually be re‐constructed.  An example of a deleted email that had been restored by a forensic specialist and used in litigation reads, “Did you see what Dr. [deleted] did today?  If that patient survives it will be a miracle.” • Email is usually discoverable in litigation. Our legal system mandates that both sides in a lawsuit produce documentation that may be relevant to a case during the “discovery” process.  Since email is written, time‐stamped documentation, it serves as credible evidence with jurors.  In fact, due to the usefulness of email in litigation, an entire industry is evolving which conducts analysis of email to assist attorneys with the discovery process by providing “visual representations of relationships evidenced in email, such as time, events, and communication patterns.” • Forwarded email.  Recipients can easily for‐ ward an email they’ve received to innumerable people without the knowledge or consent of the author.  In short, once the author sends the email, the author cannot control who receives the message. • Misdirected email. With one unintended click in the email system’s address book, a message intended for one recipient can be sent to an entire organization or an entire internet listserv. In instances where the information within the email may be considered confidential or subject to a legal privilege, the ability to assert such a privilege may be jeopardized. To mitigate against the risks associated with email, health care providers should: • Ensure email messages containing PHI are transmitted in accordance with HIPAA’s Security requirements. • Consider whether the message may serve as an admission of liability. • Consider whether you are disclosing confidential information to a party not authorized to receive it. • Exercise caution when sending an email containing PHI to ensure that the recipient address corresponds to the intended recipient—double check the recipient list! • Email messages containing PHI should be limited to the minimum necessary to accomplish the intended purpose (send only what the recipient needs). • Disable auto forwarding on your system. • Enter the recipient’s address last, after you’ve drafted the message to your satisfaction so that you avoid sending an incomplete or embarrassing message. • Eliminate unnecessary attachments. If an email is forwarded, the attachments may not be readily visible and may accidentally get for‐ warded inappropriately. • Do not use email to discuss highly confidential information including peer review or quality information. • Use the cc field sparingly. • Never send an email when you’re tired or angry. Instead, save the draft, review (revise if necessary), and send at a later time. • READ your email before hitting the send button.   Media Central: Email;Primary Tool of Business Communication, NU Internet Surveys (May 11, 1998) <http;//www.nua.ie/ surveys/index.cgi?service=survey &survey_number=739&rel=no>. 45 CFR Parts 160.162.164. 45 CFR §164.312(e)(1). 45 CFR §164.312(e)(2)(i). 45 CFR §164.312(e)(2)(ii). 45 CFR §164.404. 42 USC §1177 (b)(3). Dan Goodin, Email Still Dangerous in Business, News.Com,    ( Jan 20, 1998) http://www.news.com/News/ItemTextonly/ (quoting attorney David H. Kramer). Adam J. Conti & James W.Wimberly, The Developing Law of Cyberspace (Jan. 1996) http://www.bobbin.com/ media/96jan/privacy2.htm. Daemon Seed, Old Email Never Dies, Wired, (May 1999), <http://www.wired.com/wired/archive/7.05/email.html> John Soat, Email as Evidence, Information Week, (August 29, 2005)     <http://www.informationweek.com/shared/ printableArticleSrc.jhtml?articleID=170100973.