Page 16 - Part 1 Navigating Electronic Media in a Healthcare Setting
P. 16
SVMIC Navigating Electronic Media in a Healthcare Setting
understands the confidentiality policy; this policy should be
reviewed in the orientation process and annually thereafter. As
with all practice policies, the confidentiality policy should be
reviewed on an annual basis for relevance and compliance with
current state and federal laws. A sample Workforce Confidentiality
Agreement is available at www.svmic.com.
Emailing PHI
Email is not specifically prohibited by HIPAA, and the Privacy Rule
allows covered healthcare providers to communicate
electronically, (such as through email with their patients) provided
that they apply reasonable safeguards when doing so. HIPAA
requires appropriate physical, administrative and technical
safeguards for all ePHI. For example, a covered entity must decide
on whether encryption is appropriate based on the level of risk
involved. Any devices used to store, transmit or receive ePHI must
be included in the previously-mentioned Security Risk Analysis
(SRA). Therefore, it is necessary for the provider or healthcare
entity to conduct a SRA to determine the threats and vulnerability
concerning the confidentiality, integrity and availability of ePHI
sent via email. A risk management plan must then be developed
and encryption or an alternative measure implemented to reduce
that risk to an appropriate and acceptable level. The plan must
also be documented. The devices subject to a Security Risk
Analysis include laptops, smart phones, tablets, usb drives, external
hard drives and any other device used to store, transmit or receive
ePHI.
The HIPAA Breach Notification Rule considers any unauthorized
access, use or disclosure of unsecured PHI a breach, unless the
covered entity can prove the PHI has not been compromised. This
Page | 16
