Sharing PHI or Confidential Information Electronically
Below are the generally acceptable ways to electronically share PHI and Confidential Information that we discuss with each facility:
- Within the facility’s secure email domain (ie. @utopiamemorial.com ---> @utopiamemorial.com), or between re|solution's secure email (@ereso.com ---> @ereso.com). This is acceptable ONLY if ALL recipients (in the To:, CC:, and bCC: sections) have email addresses from @ereso.com or the facility's. A knowledgeable and authoritative facility's staff member will confirm to our IT staff in writing or email that their email domain is encrypted for data in motion and at rest per 45 CFR 164.312 (if they have confirmed this, this information is document under Project Resources). Re|solution's email domain (@ereso.com) is secure. All staff working inside a facility is given an ereso email address. If you have NOT received your notification of log in credentials for your ereso email address, please contact email@example.com.
2. Using Third party encrypted (AES 256) email. (ie. Barracuda, Zix)
3. File sharing via a shared directory that is secure to HIPAA standards (ie either encrypted, or protected via physical and administrative security).
4. Zipped and password protected (with AES 256 encryption) attachments via unsecure email with no PHI or confidential information in the body of the email itself. We use a utility called 7-zip to achieve this (instructions on how to use 7-zip).
In addition, with advanced coordination between our IT staffs, we will agree to any other means of our facility’s choice that they have validated will meet the applicable standards under 164.312 and the supporting NIST standards (800-111 for data at rest, and -52 for data in motion).
You will be instructed by your manager as to the secure means of communication for your assigned facility. Please see Project Resources for more information on your assigned facility. If you do not see your facility listed, please contact your manager for the policy.
Sharing Hard Copy or Verbal PHI or Confidential Information
Hard Copy PHI and Confidential Information should be avoided where possible since it offers the most human-error prone chain of custody. For example, a scanned document can be protected, accounted for, and destroyed more easily than the original paper document. Since hard copy documents are sometimes necessary, share them via sealed envelope when possible, and fax when not. When faxing to a new phone number, a trial fax without PHI or confidential information must go first with receipt confirmed by the appropriate party at the receiving end prior to using that number to exchange PHI or Confidential Information. eFax is not acceptable to send PHI.
Verbal communication (ie personal or telephone conversation) should be done only out of earshot of other bystanders who do not have the need to access the PHI or Confidential Information.