Protect health information, encrypt e-mail

posted December 11th, 2008

Throughout Duke University Health System operations, there are occasions when protected health information (PHI) or other sensitive electronic information is sent by e-mail.

A typical transaction might include the patient’s account and medical record information, home address and phone number, even the patient’s name. Providers and patients may also communicate with each other by e-mail.

To protect patients’ privacy and confidentiality, e-mails containing PHI or other sensitive information must be encrypted. When using e-mail, members of the Duke workforce are required to use Lotus Notes or iNotes, which are DHTSsupported encrypted email accounts.

Know your features. Click “sensitive electronic information” before sending PHI by Lotus Notes. The communication of PHI by personal e-mail accounts (AOL, Hotmail, Outlook, etc.) is prohibited, as is the automatic forwarding of e-mails outside of Duke  medicine. It is important to remember that you are responsible for taking reasonable steps to control uses and disclosures of PHI by applying the minimum necessary rule.

“Minimum necessary” means including in an e-mail only the amount of PHI necessary for the purpose of the communication. Complying with the minimum necessary communication requirements includes de-identifying the PHI as much as possible. For example, when PHI is sent via e-mail, the e-mail should not reference the patient’s name if there are other identifiers, such as a medical record number or an account number, available. If it is necessary to include PHI in an e-mail, the e-mail should only be sent to those who have a “need to know” the information.

E-mails containing PHI may not be forwarded within or outside Duke Medicine, and PHI should never be used in the subject line of an e-mail as the subject line is not encrypted even when the sensitive electronic information box is checked.

For further guidance on this topic, go to https://email.duhs.duke.edu/secureemail/or, see the DUHS Electronic Communication policy, the DUHS Mobile Computing and Storage Devices policy, or contact Rob Adams, information security officer, at rob.adams@duke.edu.

Commenting is not available in this weblog entry.