Dear CHUG users -
We are updating our policy about PHI within communications and wonder if anyone would be willing to share or discuss their policies. How do you handle PHI outside of Centricity when communicating internally and externally (e.g., email, instant messaging, or other forms of communication)?
Thanks.
1. We use the patient portal to communicate with patients
2. We do not email PHI to patients but we have encryption through Symantec on all outbound emails just in case. We do get false positives at times as well as recipient refusals to open (like some at GE support) so it can be frustrating. If the recipient refuses to open the email I ask them for their fax number and use Biscom and they will receive a fax from me instead. Internally we email all the time as there is no plain text going over the Internet. Smartphone access to PHI is allowed but is encrypted on each phone, forced by ActiveSync policy.
3. No SMS or instant messaging except through Tiger Text. I have read that some organizations are using iMessage thinking they are covered but they absolutely breaching privacy with every message containing PHI. Apple currently will not sign a BAA, and they do keep messages on their servers where they are not encrypted. Also, it is not always a guarantee that the iMessage stays iMessage as it can be converted to standard SMS for various reasons.
4. Many printers have hard drives in them and do store things which are printed. I make sure we retain the hard drive to be destroyed after disposal of the printer. We do the same with workstation and server hard drives.
Off the top of my head that is what we do, and have written policies about.
Mike Zavolas
Tallahassee Neurological Clinic