AAMC Home   Tomorrow's Doctors Tomorrow's Cures
  Home  Government Affairs   Newsroom   Meetings   Publications Shopping Cart   Site Map    

GIR Home

About GIR

Resources

GIR Members Only
AAMC Login required

Contact

New Feature: E-mail Security Survey Results

By Robert McAuley
Associate Dean and CIO, Information Resources
University of Illinois College of Medicine

Capture of ePHI email in Patient Record
October 2008
Capture of ePHI email in Patient Record

In September 2008, the GIR began a new series to assist in keeping members informed about common security practices. Several times during the year a short survey focused on a particular security practice is distributed and the results reported in the next GIR newsletter.

We sent out the following survey questions to approximately 700 people at approximately 400 member institutions. We received 104 responses. Due to the nature of some of the questions, the GIR decided to make the survey anonymous. However, because it was anonymous we do not know how many member institutions this sample represents.

E-mail is an extremely effective communications tool for the over burdened health care providers. It is quick, ubiquitous, and asynchronous. However, on the downside in most instances it is not secure. Messages can be easily misaddressed, mistakenly forwarded, or intercepted.

Overall this survey suggests that the majority of institutions represented do not have substantial controls on employee use of e-mail to communicate PHI. Specifically, while the majority of represented institutions allow health care providers to communicate with patients via e-mail (or are neutral on the subject) they do not restrict the e-mail systems (third party or institutional) used for business communications and place the responsibility for securing the e-mail on the individual employee. The results also indicate that the majority of responding institutions do not require patient consent for these communications nor are they routinely captured in the medical record.

The survey questions and results are as follows.

Do you have a formal policy regarding the transmission of ePHI via e-mail or other electronic messaging systems (i.e. patient portals)? Respondents=104; "Yes"=89 "No" =15

The HIPAA security rules require that data in transit be protected. Electronic messages that contain ePHI certainly fall under this requirement. It is surprising that 14% of the responders report that their institutions do not have a formal policy.

If yes to number 1: Does this policy allow for the transmission of ePHI via e-mail or other electronic messaging systems? Respondents=84; "Yes"=72, No" = 12.

This suggests that institutions recognize the efficiencies or reality of e-mail use. Informal surveys at this author's institution suggest that physicians and administrative offices rely heavily on e-mail for routine communication.

If yes to number 2: How do you protect these transmissions? Respondents; = 59, "Encryption of standard e-mail" = 51, "Patient Portal" = 19, "Other" = 10.

Since there are more responses than responders some institutions are employing multiple solutions. Of the 10 individuals who responded "Other"; five reported that the transmission of ePHI via e-mail is restricted to internal systems. One institution reported that they sent messages to patients containing ePHI "in the clear".

If you use encryption is it passive (all e-mails are scanned and encrypted if necessary) or active (sender has to select the encrypt option)? Respondents = 54; "Passive" = 23, "Active" = 35.

Again there were more responses than responders. This would suggest that some institutions are using "Active" encryption with a safety net if the sender forgets to encrypt the message. If we subtract the overlap (4), then more than 50% of the respondents indicate that their institutions put the burden on them to decide to encrypt the message. It is possible that this is due to the inability of screening software to determine the context of the message. For instance if an endocrinologist sends an e-mail in the clear to his patient Professor Jones about his Hashimoto's disease, it would be a HIPAA violation. However, if he sends a note to his colleague Professor Jones regarding research on Hashimoto's disease there is not a violation.

Are these communications captured in the medical record? Respondents = 74; "Yes" = 57, "No" = 21.

It is surprising that such a small percentage of institutions are capturing these communications in the medical record. In the event that a message was not included in the medical record and there was litigation, the institution would be at a disadvantage.

If you have a formal policy does it expressly forbid the transmission of unprotected ePHI via e-mail or other electronic messaging systems? Respondents = 78; "Yes" = 51, "No" = 21.

Given that it is an obvious HIPAA violation, it is surprising that such a large number of respondents reported that their institutions did not have a policy against sending unprotected e-mail.

Do you have a policy specifying the e-mail systems that your providers can use for business related communications? Respondents = 89; "Yes" = 43, "No"=46.

There are a number of free e-mail services that provide a variety of attractive features including multi gigabyte storage and excellent spam filtering (Hotmail, Gmail, Yahoo). Although they may increase the efficiency of individuals, when employees use an external messaging system for institutional business purposes they create a risk to the institution due to HIPAA compliance and e-discovery limitations.

Do you ask patients to give formal consent to receive e-mails containing ePHI? Respondents = 85; "Yes"= 34, "No"=51.

The problem is that common e-mail is insecure. Any PHI sent via common e-mail (unencrypted or otherwise secured e-mail systems) may be accessed by or disclosed to third parties. Given, that most common e-mail systems cannot be categorized as secure it is in the institution's best interest to make patients aware of these risks and to obtain consent before transmitting PHI via e-mail or other messaging systems.

How do you capture consent; electronically or on paper? Respondents = 34; "Electronically" = 18, "Paper"=26.

Given that the number of responses are again greater than the number of respondents; 44 vs. 34, some institutions must be collecting consent both electronically and on paper. The major benefit of having a signed consent form is that in the event of litigation a signed form is much more compelling piece of evidence.

Do you allow patients in the same family to share e-mail addresses? Respondents = 73; "Yes"= 32, "No"= 41.

If a patient provides a shared e-mail address is it reasonable for the health care provider to assume that the patient has consented to their health information shared with the other e-mail account users?

Contact Us    © 1995-2009 AAMC    Terms and Conditions    Privacy Statement