If this email goes into a personal email, with a hospital logo, hospital name, from a hospital email address - is it PHI? Asking for a friend... :)
Please schedule your appointment.
Dear First name,
Breast cancer remains one of the most common cancers
diagnosed in women. Before symptoms appear, regular
mammograms are the best tool for early detection. The
American Cancer Society recommends that mammograms be
performed on a yearly basis on women 40 and over and
continued as long as they are in good health. Remember,
mammograms do not find all cancers and breast self-exams on
a monthly basis are also recommended.
We would like all our women patients over 40 current with
their mammograms. If you have not had a mammogram done
within the past year, please contact our office for scheduling
assistance at: number.
Please accept our apologies if you have received this email in
error or if you do not need a mammogram.
I will take the opposite position than Carl, so a little C&C.
Yes, it is PHI.
I do not read it as having bought a mailing list, just the hospital sending it to all female patients over 40 and I assume you are talking about an unencrypted email (not using a secure email program). You have the hospital information (name, logo, and email) in the email and use a hospital email address to send (or in the email if sent from a personal account). You have the patient's email address which is one of the 18 identifiers. You have the fact that the recipient is female, over 40, and a patient at the hospital. The first name is not a problem, but it depends on where the recipient lives. Carl is right about the first name if it is the greater LA area or Boise, but how about little Conda, ID? In many of the small towns where I live on rural TX Hill Country, a female over 40 named XXXXXXX could be identified. You also have a medical procedure (mammogram) reference and the information to schedule if needed.
In my opinion, the email is skirting with containing PHI and while it looks like marketing, it runs very close to be needing the patient's permission to send PHI in an unsecure manner. The question is how many of the 18 identifiers must be present to tie with the fact the individual is a patient of the hospital for it to be PHI?
This is only my opinion and not that of the organization I work for. I will also admit that when I first read the posting, my thoughts were the same as Carl's. After I thought about it, my answer changed. I am also interested in seeing what others have to say on either position for C&C. I would hate to have a scenario question like this on the test.
What if we KNOW that the person who received the email is 100% a patient of the particular hospital? And that all emails that go out in this manner, go to people who ARE patients of the hospital?
Does that change the opinion?
HI all,I love this C&C stuff!I saw this post on the other e-group, and agreed with Barbara- then started to doubt myself.i'm not sure that i agree it's "marketing" but more of a "population based activity for health education/health promotion or preventive care.In these cases, i believe it is allowable under "treatment" and i think, could even be akin to "appointment reminders" which are also allowable via mail, email, etc.I always think - HIPAA is not supposed to be a barrier to communication - it's intention as a law is supposed to enhance communication between providers and patients. This would be one of those cases, as long as it's generic enough that it doesn't give out specific diagnoses or treatment plans!Those are my 2 cents--to add to the C and C!
That is a good perspective. HIPAA was not originally meant be a barrier. Sometimes we over react in fear of the "just in case" mindset. Which in many instances seems to become a barrier.
When HIPAA first came about, and there was so much confusion and fear, I remember thinking, "Good grief, we won't even be able to talk to the patients if this keeps up!" Thank goodness it is better than that now, but we still tend to sometimes error on the side of caution.
Vicky Roe, RN CHC CPMA
Southeast Georgia Health System, Inc.
2415 Parkwood Drive, Brunswick, GA 31520
Office: (912) 466-3264 Fax: (912) 466-7044 Email: email@example.com
This e-mail and any attachments may contain privileged and confidential information and are for the sole use of the intended recipient. Any unauthorized review, use, disclosure, or distribution is prohibited. If you have received this in error, please contact the sender by telephone or e-mail immediately and destroy all copies of the original immediately. "noscramble" means the email is being sent unencrypted