HIPAA

Client initials and email

  • 1.  Client initials and email

    Posted 10-01-2020 03:51 PM
    I have heard from some folks that if you send client communications referencing them in email as their first two and last two initials that it is permissible. I have also heard from others, that it the initials are not considered "de-identified" enough to be permissible. The information I'm talking about sending is coordination of meetings, etc. Not clinical information. Please help me to understand if this is permissible or not. Thank you -Terry

    ------------------------------
    Terry Swenor
    Dir of Information Systems
    AK Child & Family
    Anchorage,AK
    ------------------------------
    19th Annual CEI Virtual Conference


  • 2.  RE: Client initials and email

    Posted 10-01-2020 04:01 PM
    Terry, can you provide more information or possibly a scenario?  In general, I'd say if the two people are authorized to have and use the information and it's for an allowable reason (treatment, setting up appointments, etc) then use of initials would be ok.  If there is no health information in the e-mail then no PHI.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    19th Annual CEI Virtual Conference


  • 3.  RE: Client initials and email

    Posted 10-02-2020 09:03 AM
    Terry,
    OCR has indicated that anything derived from an identify is considered an identifier so the initials would likely be considered an identifier. However, OCR has also said that covered entities can share limited information with patients via email. Here is a relevant FAQs from the OCR website

    Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?

    Answer:

    The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.


    I know if have seen something from OCR regarding guidance on sending patients emails so long at the patient understands the risk and the information that is sent is limited but I can't put my hands on it. I hope this is helpful

    Marti Arvin

    ------------------------------
    Marti Arvin, JD, CHC-F, CCEP-F, CHRC, CHPC
    Executive Advisor
    CynergisTek, Inc.
    Marti.arvin@cynergistek.com
    615-540-8071
    ------------------------------

    19th Annual CEI Virtual Conference


  • 4.  RE: Client initials and email

    Posted 10-02-2020 10:00 AM
    I'll add another voice to the choir and simply share that I do not see initials as an identifier.  Thanks to all for sharing! If someone sees some guidance to the contrary please share.  Until then...for me F.R. would not be an identifier under HIPAA for me, Frank Ruelas, in my view.




    Posted: 6:58 AM AZ time

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Up:
    C&C...CPG OIG and 8B2.1

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    Barbara Zubeck - June - CHPC
    Patricia Radatz - June - CHC
    Anthony Fleming - July - CHC
    Laura Chaney - July - CHC
    James Maruyama - July - CHC
    Namrita Notani - July - CHC
    Lisa Campbell - August - CHC
    Susan Hammerschmidt - August - CHC
    Brandi Brooks - August - CHC
    Shari Singleton - August - CHC
    Rebecca Crane - August - CHC
    Meagan Bottrell - August - CHC
    Jill Lyons - August - CHC
    Camille Walton - September - CHC
    Danique Flax - September - CHC
    Melanie Schoonover - September - CHPC
    Meghan Smith - September - CHC
    Mandi Quigley - September - CHPC
    Madhavi Perumpalath - September - CHC
    Cassie Brazelton - September - CHC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 5.  RE: Client initials and email

    Posted 10-02-2020 01:50 PM
    Frank,
    I think there is an FAQ on this but I am certain OCR has issued guidance that stated anything derived from an identifier is consider an identify and I believe specially used initials as an example. Marit

    ------------------------------
    Marti Arvin, JD, CHC-F, CCEP-F, CHRC, CHPC
    Executive Advisor
    CynergisTek, Inc.
    Marti.arvin@cynergistek.com
    615-540-8071
    ------------------------------

    19th Annual CEI Virtual Conference


  • 6.  RE: Client initials and email

    Posted 10-02-2020 01:52 PM
    Here is the FAQ from the OCR guidance

    May parts or derivatives of any of the listed identifiers be disclosed consistent with the Safe Harbor Method?

    No.  For example, a data set that contained patient initials, or the last four digits of a Social Security number, would not meet the requirement of the Safe Harbor method for de-identification.



    ------------------------------
    Marti Arvin, JD, CHC-F, CCEP-F, CHRC, CHPC
    Executive Advisor
    CynergisTek, Inc.
    Marti.arvin@cynergistek.com
    615-540-8071
    ------------------------------

    19th Annual CEI Virtual Conference


  • 7.  RE: Client initials and email

    Posted 10-02-2020 04:27 PM
    At the risk of an extreme amount of pedantry on a Friday afternoon, it should be highlighted that "permissible" and "meeting the requirements of the Safe Harbor method" are not 100% equivalent. There's plenty of practices that are permissible in a business-as-usual situation that won't meet the Safe Harbor method should things come to that.

    To get back to the original request, the OP wants to send emails to clients to coordinate meetings.  Plenty of CEs do this, by allowing the patient to opt-in to email communications. (Sometimes these opt-ins include a blurb about all the awful things that can happen to email, which are usually never read by the signor). I've seen a few CEs perform a mini risk-analysis on this practice. They weigh the ease of communication, and the patient's desire to use email, against the risk of the email being mis-directed or intercepted in transit. As a control against the risk of being intercepted in transit, it's good to point out that most current email providers now use opportunistic TLS encryption; cf. Google . The usual outcome is to document that the benefits of email, compared to the risks of the email's causing an impermissible disclosure, make its use "reasonable and appropriate".  If you're including a tiny amount of ePHI in the email, that's another item on the side of R&A.

    Of course, ask the patient to opt-in, document your risk analysis, and have the appropriate Risk Management Committee (or equivalent) bless it.   My 2 cents.

    ------------------------------
    --
    Pete Niner
    Techumen
    ------------------------------

    19th Annual CEI Virtual Conference


  • 8.  RE: Client initials and email

    Posted 10-03-2020 10:08 AM
    Big THANK YOU to Marti for the FAQ.  Also, I was not complete in my answer...but that does not take away from Marti's response in the least.

    Now given that we see that using initials, which is a subset of the derivatives that can be created by someone's name....this leads us to the "other" method which is the "expert determination" method where one can determine that health information is not  is individually identifiable by meeting the criteria as described in that section of the Privacy Rule.

    With that in mind...and understanding the specific context of the message and situation...using only the initials F.R. would not be enough for an expert to reasonably identify that the F.R. was Frank Ruelas....again keeping in mind the messaging.

    Thanks again Marti...I see your reference can quickly help people answer the question...safe harbor yes or no...and if no...they can consider the expert determination method.





    Posted: Saturday


    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Up:
    C&C...CPG OIG and 8B2.1

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    Barbara Zubeck - June - CHPC
    Patricia Radatz - June - CHC
    Anthony Fleming - July - CHC
    Laura Chaney - July - CHC
    James Maruyama - July - CHC
    Namrita Notani - July - CHC
    Lisa Campbell - August - CHC
    Susan Hammerschmidt - August - CHC
    Brandi Brooks - August - CHC
    Shari Singleton - August - CHC
    Rebecca Crane - August - CHC
    Meagan Bottrell - August - CHC
    Jill Lyons - August - CHC
    Camille Walton - September - CHC
    Danique Flax - September - CHC
    Melanie Schoonover - September - CHPC
    Meghan Smith - September - CHC
    Mandi Quigley - September - CHPC
    Madhavi Perumpalath - September - CHC
    Cassie Brazelton - September - CHC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 9.  RE: Client initials and email

    Posted 10-03-2020 10:20 AM
    Frank,
    I agree that what you propose is feasible but it seems like more trouble that is needed. OCR has stated that it is ok to share "limited" information via unencrypted email. So using the initials as described and doing it for the narrow purpose described I think is fine. My original point was not to say she could not do it the way described but rather to clarify that it would not be de-identified under the Safe Harbor if the initials were included.
    BTW on a separate note don't be to sure that having F.R. in the email with a few other data elements is not enough to ID you. Remember this will also have your email. There was a study out of Europe where researchers determined that just 15 not necessarily direct identifiers were all what was need to identify a person. A bit concerning in my opinion. Just sayin. Marti

    ------------------------------
    Marti Arvin, JD, CHC-F, CCEP-F, CHRC, CHPC
    Executive Advisor
    CynergisTek, Inc.
    Marti.arvin@cynergistek.com
    615-540-8071
    ------------------------------

    19th Annual CEI Virtual Conference


  • 10.  RE: Client initials and email

    Posted 10-04-2020 10:21 PM
    Totally agree...that's why I shared in my first response that much depended on what else is involved in addition to the F.R.  Yes...email addresses included.  Thanks x 2!




    Posted: Sunday

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Up:
    C&C...CPG OIG and 8B2.1

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    Barbara Zubeck - June - CHPC
    Patricia Radatz - June - CHC
    Anthony Fleming - July - CHC
    Laura Chaney - July - CHC
    James Maruyama - July - CHC
    Namrita Notani - July - CHC
    Lisa Campbell - August - CHC
    Susan Hammerschmidt - August - CHC
    Brandi Brooks - August - CHC
    Shari Singleton - August - CHC
    Rebecca Crane - August - CHC
    Meagan Bottrell - August - CHC
    Jill Lyons - August - CHC
    Camille Walton - September - CHC
    Danique Flax - September - CHC
    Melanie Schoonover - September - CHPC
    Meghan Smith - September - CHC
    Mandi Quigley - September - CHPC
    Madhavi Perumpalath - September - CHC
    Cassie Brazelton - September - CHC
    ------------------------------

    19th Annual CEI Virtual Conference