• E-mail
• Print
• RSS

Limit the use of fax and take precautions to protect PHI

HIM Connection, November 28, 2003

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

Dear Colleagues:

HIPAA's privacy rule has forced facilities to reevaluate how they conduct even the most routine tasks, like faxing patient records.

In fact, Beth Israel Deaconess Medical Center in Boston has decided to limit the use of fax to send protected health information (PHI) to emergencies, says Holly Ballam, RHIA, corporate privacy officer and physician liaison for Beth Israel.

Beth Israel's policy says staff cannot fax any health information except in emergencies. They can never e-mail patient records.

Ballam offers the following advice for protecting the confidentiality of patient records when faxing:

1. Verify the recipient of the fax. "If anyone faxes information, they have to get the fax and phone number of the facility and call back to verify that it's the right place, like the emergency room, and that somebody is standing at the fax machine waiting for the fax to come," says Ballam.
2. Ask for patient authorization. Beth Israel hasn't formalized its process yet, but will probably require authorizations when faxing PHI even for treatment, payment, and health care operations, despite the fact that the privacy rule does not mandate them, says Ballam.

   "We always ask for an authorization [to release the information] from the patient or a family member," she says. "We try to get the authorization before we send the record, but if it's life or death, we're obviously not going to keep that person from getting medical attention. We ask the hospital to get one and send it to us once the patient is stabilized."

3. Look for alternatives to e-mail. If you decide to allow staff to e-mail records, make sure you have a secure system including firewalls. Use the same method for verifying the identity of the recipient that you use for faxing. "But I would recommend you don't e-mail medical records ever," she adds.
4. Train staff. The HIM should handle fax requests, but other departments get calls all the time and often take care of the requests on their own, says Ballam.

As part of HIPAA training, Beth Israel will train nurses and staff in physician offices and clinics on policies and procedures for faxing patient information. Right now, all the nurses and nursing supervisors know what to do when they get a request, she says.

"But in a perfect world, all requests for medical information should go to HIM and they should handle them."

This week's HIM Connection was adapted from an article in Briefings on HIPAA. Click here for more information or to order. See the Editor's Choice section for a special HIPAA training handbook just for HIM staff.

Sincerely,

Lauren McLeod
Senior Managing Editor
lmcleod@hcpro.com

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

• E-mail to a Colleague
• Print
• RSS
• Archive