HIPAA

Technology to Limit Misdirected PHI via Email?

  • 1.  Technology to Limit Misdirected PHI via Email?

    Posted 05-18-2020 02:08 PM
    Hi all,

    Is anyone aware of technology within email that would scan the body of an email and its attachments for PHI prior to sending? If PHI is detected in the email, a text box would appear when the user hits the send button that would ask the user to confirm that the PHI contained in the email is being properly directed. If not, is anyone aware of a similar proactive safeguard that would help limit the chances of misdirecting PHI with minimal to no disruption to the sender and recipient of the email?

    Thank you!

    ------------------------------
    Anthony Ambrose, MBA, CHC, CHPC
    Compliance Officer
    Service Access and Management, Inc.
    Lewisburg, PA
    ------------------------------
    19th Annual CEI Virtual Conference


  • 2.  RE: Technology to Limit Misdirected PHI via Email?

    Posted 05-18-2020 03:16 PM
    Anthony, I don't know the tech part of it, but we use zixencrypt.  It scans the e-mail for PHI and if it finds something the e-mail is held and the sender gets an e-mail that their message is being held.  They have to review the message and then choose to send it encrypted or unencrypted.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    19th Annual CEI Virtual Conference


  • 3.  RE: Technology to Limit Misdirected PHI via Email?

    Posted 05-18-2020 03:47 PM
    We have something similar to what David has.  We use Mimecast and it scans the email for PHI and things like Soc. Sec. numbers, date of birth, etc.

    ------------------------------
    Ann Dunham
    MBA, SPHR, CHC, CHRC
    Compliance Officer
    Hannibal Regional Healthcare System
    Hannibal, MO
    ------------------------------

    19th Annual CEI Virtual Conference


  • 4.  RE: Technology to Limit Misdirected PHI via Email?

    Posted 05-19-2020 03:53 PM
    Thank you Ann and David!

    ------------------------------
    Anthony Ambrose, MBA, CHC, CHPC
    Compliance Officer
    Service Access and Management, Inc.
    Lewisburg, PA
    ------------------------------

    19th Annual CEI Virtual Conference


  • 5.  RE: Technology to Limit Misdirected PHI via Email?

    Posted 05-20-2020 01:05 PM
    ​Hi all,
    We use Zix. I just wanted to add to be careful with attachments and/or screen shots. These are  not caught since the encryption apps see the attachments as 'photos' (I believe) and cannot screen those.
    Stay Safe!

    ------------------------------
    THE OPINIONS WITHIN ARE SOLELY MINE AND NOT ATTRIBUTED TO MY ORGANIZATION
    Gabrielle Reeves JD, MHRM, CHPC
    gabrielle_reeves@bayhealth.org
    302-430-5397
    ------------------------------

    19th Annual CEI Virtual Conference


  • 6.  RE: Technology to Limit Misdirected PHI via Email?

    Posted 05-21-2020 07:00 AM
    We also use Zix but I have this on the InfoSec Work and Audit Plan to verify the settings and make sure it's workings. I'm not clear if it automatically encrypts attachments or if you have type "secure" in the subject line to force it. I also think it's important to work with your infosec team to limit PHI leaving your facility in other ways such as turning off the ability of people to auto-forward their emails.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Privacy Director
    Interim Privacy Officer
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    19th Annual CEI Virtual Conference


  • 7.  RE: Technology to Limit Misdirected PHI via Email?

    Posted 05-21-2020 08:17 AM
    Thank you Brenda and Gabrielle!

    ------------------------------
    Anthony Ambrose, MBA, CHC, CHPC
    Compliance Officer
    Service Access and Management, Inc.
    Lewisburg, PA
    ------------------------------

    19th Annual CEI Virtual Conference


  • 8.  RE: Technology to Limit Misdirected PHI via Email?

    Posted 05-21-2020 01:54 PM
    We also use Zix. It looks for keywords that you have set up to automatically encrypt emails and attachments, but it does not always work the way you hope. We do not call them "patients" in our mental health/case management community mental health center, we call them "clients." Zix encrypts emails with the word patient, but not client. You can configure a lot of the key words it looks for, but not all.

    We created a code word to put in the Subject to force encryption when the Outlook add-in Encrypt & Send buttons are not there, such as when emailing through smartphones with our MDM on them.

    We also have it set up to automatically encrypt everything that goes to our counties' email addresses, as that is the bulk of our emailing (many of our employees work in their offices and also have county email addresses). Too many emails were getting sent without encryption before we set this up.

    I do a lot of training of new employees to explain exactly how it all works - the main point being, if you are sending anything with client information, force encryption via the Encrypt & Send button or the code word. Don't leave it to chance!

    ------------------------------
    Gwen Pekuri
    ------------------------------

    19th Annual CEI Virtual Conference