Privacy Officer's Roundtable

Physical Mailing of e-PHI DVD

  • 1.  Physical Mailing of e-PHI DVD

    Posted 06-23-2020 01:09 PM
    Hello Everybody,

    I am completely new here, so apologies if I am not doing something right or posting the the wrong communities.

    I am a new cyber security analyst, and I've recently started addressing high-risk areas. One of them included ensuring there I documented procedures for our Medical Records department when they are physically mailing e-PHI DVDs. There was no documented standard, so I am trying to establish something for them.

    My Question:
    How do other organizations handle sending e-PHI through the Postal Service? If the disc was encrypted, would the password/key need to be sent in a separate package? I tried researching this quite a bit, but discovered nothing to help with this specific question. Any ideas or knowledge on this matter are greatly appreciated!

    Thanks,

    Parker

    ------------------------------
    Parker Torbett
    Cyber Security Analyst
    Tulsa,OK
    ------------------------------
    2020 SCCE Membership


  • 2.  RE: Physical Mailing of e-PHI DVD

    Posted 06-23-2020 02:20 PM

    Parker,

    I don't have experience from a medical records perspective, but from purely a security point of view...YES you should always communicate any access credentials separately from the file being sent...otherwise, a bad actor that intercepts the package would also have access to the encrypted data.

     

    Best Regards,

    Scot Lovejoy   

    Scot Lovejoy RPh. CHC CHPC

    Chief Pharmacy Officer

    Compliance Officer

    Agadia_itself (625x184) (625x184) (100x29)

    9 Campus Drive, Suite 200

    Parisippany, N.J. 07054

    (O) 973-540-8400  x227

    (C) 973-570-3803

    (F) 973-540-8440

     

    Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  Thank you.

    No copyright infringement intended.

     

     




    2020 SCCE Membership


  • 3.  RE: Physical Mailing of e-PHI DVD

    Posted 06-24-2020 02:03 PM
    Edited by Parker Torbett 06-24-2020 03:44 PM
    Thanks Scot,

    That was also my initial though coming from a security point of view, but I wondered how others generally handle this to confirm my initial feeling.

    Thanks,

    Parker

    ------------------------------
    Parker Torbett
    Cyber Security Analyst
    Tulsa,OK
    ------------------------------

    2020 SCCE Membership


  • 4.  RE: Physical Mailing of e-PHI DVD

    Posted 06-24-2020 01:09 PM

    Hi Parker!  I checked with our Medical Records department to see what they do.  They send the password/key separately.  They either mail it separately from the disc, or email the requestor the password/key if that's how the requestor wants to receive it.

    Cinda

    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.



    2020 SCCE Membership


  • 5.  RE: Physical Mailing of e-PHI DVD

    Posted 06-24-2020 01:22 PM
    We have the same process as Cinda.

    ------------------------------
    David Rothery, CHC, AWI-CH
    Compliance & Privacy Officer
    Health & Human Services
    Marin County, CA


    These are my personal opinions and not those of the County of Marin
    ------------------------------

    2020 SCCE Membership


  • 6.  RE: Physical Mailing of e-PHI DVD

    Posted 06-24-2020 01:57 PM
    We also do the same as Cinda.​

    ------------------------------
    Ann Dunham
    MBA, SPHR, CHC, CHRC
    Compliance Officer
    Hannibal Regional Healthcare System
    Hannibal, MO
    ------------------------------

    2020 SCCE Membership


  • 7.  RE: Physical Mailing of e-PHI DVD

    Posted 06-24-2020 02:06 PM
    Edited by Parker Torbett 06-24-2020 03:44 PM
    Perfect, Thanks Cinda!

     This is exactly what I was looking for. That is what I assumed, but sometimes I struggle looking at things from a non-cyber security perspective, and my biggest challenge is balancing availability/convenience with security. So it definitely helps to know how other organizations deal with this, so I know I'm not simply making everybody's job harder!

    Thanks,

    Parker

    ------------------------------
    Parker Torbett
    Cyber Security Analyst
    Tulsa,OK
    ------------------------------

    2020 SCCE Membership