HIPAA Hotline Questions
Q: If I can’t email patient information, how am I to transmit PHI to other physicians?
A: To be clear, encrypted email is a secure method of sending PHI. The reality here is, setting up encrypted email is typically expensive and complex. Usually only hospitals have the resources to do this. If you are 100% sure that the email system on your end AND the email system on the receiving end is secure, then sending PHI is technically ok. It is our preference that you NEVER send PHI via any email system. We don’t like the liability it creates for physicians. Additionally, it gets your staff comfortable emailing PHI and increased the possibility of mistakenly sending PHI to a non-secure email address. Faxing is still an authorized method of sending PHI, though be sure your staff follows proper faxing PHI procedures.
Q: 5 staff share one username for everyone to log into our computers, why is this wrong?
A: There are many reasons this is wrong, but it all comes down to HIPAA requirements of accountability & access restriction. HIPAA regulations require that you be able to track who in your office has accessed various information on your computer network. A single username prevents tracking individuals as required. HIPAA regulations also require that various staff positions only be able to see what the need to see. For example, the person making appointments should not have access to the medical details for a patient. Billing staff need should not have access to patient note details beyond billable items. None of this is possible is everybody uses the same login name.
Q: Our smartphone pictures of patients are….
A: I cut off the caller at this point and told them, there is no reason, worth defending, that you can give me for taking pictures of patients with a smartphone. This is extremely dangerous and should not be part of any practice policy. The liability issues here are huge. Never use a smart phone to take pictures of patients or to store any kind of PHI.
Q: The thumbdrive we use for backing up information is about to reach its size limit, is there a better way to do this?
A: Not only YES, but Absolutely! We are not at all fans of using portable storage devices for storing any type of PHI. Daily we read horror stories in the news about lost thumb drives, etc, and you don’t want your practice to be in the news for this. To backup your patient data, we an off site HIPAA compliant backup service, like CompliantBackup.com. No question about it, backing up your data is nothing to fool around with. If you must use a portable device to transfer PHI data to another device, ensure that portable device is encrypted. Another option is to use a fully encrypted thumbdrive.
{ 4 comments… read them below or add one }
if i contact a company for a price quote.can that company give my infor to a 3 party?
Is it acceptable practce for Ky State Police to send someone to a Pain Management facility to take pictures of patients arriving and leaving the practice? They were “undercover” and tried to hide it when asked by Mgr.
Eileen,
This is really a question for an attorney.
My non-legal impression of this is it sounds like a set up, yet isn’t that what under cover law enforcement does?
That depends.
Was this for an EHR? Did you information contain any private data?
Many online companies share your information with other companies.
You need to study what is stated in each companies privacy policy to fully understand what they may share with others.