Purpose:
This Policy document describes
procedures that govern an individual's use of Community Care's email system. It
also defines the steps that must be taken by Community Care clients who wish to
engage in email with Community Care. This procedure applies to the
informational uses of email and does not cover the ethical, legal and
regulatory issues.
Procedures:
1.
Communicating PHI via Email Internally
a.
As a general rule,
unencrypted email should not be used to communicate PHI. Email is inherently
less secure than other forms of communication. However, email of PHI will be
permitted at Community Care if certain safeguards are implemented.
b.
Community Care will
implement the following safeguards when communicating PHI in or attached to an
email message:
1.
Email communications
containing PHI about Community Care clients will be transmitted only on the
Community Care email system and cannot be forwarded to an email account
outside Community Care.
2.
PHI will not be
transmitted in the subject line of the email message.
3.
The fact that the
message or an attachment to the message contains PHI will be reflected in the
subject line of the email message.
4.
The email message
will include Community Care's confidentiality notice.
5.
If a document that
contains PHI is attached to the message, the User should verify before
transmitting the email message that he/she has attached the proper attachment.
6.
Before transmitting
the email message, Users should double-check the message and any attachments to
verify that no unintended information is included.
7.
Users who communicate
PHI via email will comply with all other Community Care policies and
procedures.
c.
Any User who is
unsure whether an email message or attachment contains PHI should contact
his/her supervisor or the HIPAA Privacy Officer before initiating the email
communication.
2.
Communicating PHI with Clients
a.
Clients have the
right to request that Community Care communicate with them via email.
b.
If a client requests email
communications containing their PHI, the individual receiving the request must
obtain a written request for email communications and provide the client with
guidance on using Email via the Internet. If a client requests email communications containing their PHI, the
individual receiving the request must obtain a completed Client Request for
Email Communications form from the client AND must provide the client with
the Important Information about Provider/Client Email form prior to
processing the client's request.
c.
Community Care
reserves the right to deny a client's request to communicate with him/her via
email. For example, Community Care may deny a client's request for email
communications if a provider with an existing clinical relationship with the
client believes email communications with the client should not occur.
d.
If the client's
initial request to communicate via email is granted by Community Care, the
client will be required to complete the following prior to engaging, for the
first time, in provider/client emails with Community Care:
a.
Respond to a test
email with answers to a question specific to that client (i.e., the clients
date of birth, father's name, mother's name, etc.) to verify the client's email
address and identity; and
b.
Confirm the client's
understanding of the risks of engaging in email communications with his/her
providers.
e.
Request for email
communications will be placed in the client folder for a minimum of six (6)
years. Approved requests are valid regardless of the time period as long as a
hard copy is maintained.
f.
An approved request
will be effective for only the provider identified on the request. The client
must complete a separate request for each provider with whom he/she wants to
communicate via email, and must revoke each request to discontinue email
communications.
3.
Ownership of Electronic Mail
a.
The email system at
Community Care belongs to Community Care.
b.
Community Care
workforce will adhere to this policy when sending PHI and Community Care email
policy when sending email that doesn't contain PHI.
c. Community
Care reserves the right to override individual passwords and access the email
system at any time for valid business purposes such as system maintenance and
repair and security investigations.
4.
Retention of Email
a.
Community Care
requires archives of email for the purposes of record recovery and regulatory
compliance.
b.
Questions about
retention activities should be directed to the Security Officer.
5.
Definitions
User means any employee or other person authorized by Community
Care to read, enter or update information created or transmitted via the
electronic mail system.
Protected
Health Information (PHI) means
information, including demographic information that may identify the client,
that relates to the past, present or future physical or mental health or
condition of an individual, the provision of health care to an individual or
the past, present or future payment for the provision of health care to an
individual and identifies or could reasonably be used to identify the
individual.
Workforce
means employees,
volunteers, trainees, and other persons whose conduct, in the performance of
work for Community Care, is under the direct control of Community Care, whether
or not Community Care pays them.