Do you know what your employees and colleagues are sending out of your company’s e-mail system? You’d better. You need a policy to protect yourself - and your patients.
As a provider or administrator, you care about the security of your practice’s assets. You diligently double-check your security alarm at night before you leave the office. You had your office manager install door locks on your medical records area. You installed security cameras at your office’s entrances and exits. Even your most basic sample medications are under lock and key. Unfortunately, all of these precautions still leave you vulnerable to the fastest way to move valuables out of your office: E-mail!
In practices large and small, having a documented e-mail use and abuse policy and ensuring staff are well versed in that policy are critical to protecting the practice, as well as your employees. Misuse of e-mail at work can lead to lost productivity, clinical liability, and human resources nightmares, among other risks.
What’s the worst that could happen?
Think about your practice and what information you have in electronic format: Spreadsheets of provider/staff pay rates and bonus incentives, tax documents, photos of patients’ dermatological symptoms, transcribed chart notes, and thousands of patient records - all ripe for the picking by an identity thief. Every one of these items can likely escape your secure grasp into the wilds of the Internet, all via simple e-mail attachments.
What is your liability if one of your patient’s “before and after” photos of breast augmentation starts making the “Funny photos, forward this e-mail to at least three people” circuit on the Internet? What if a staffer e-mails an unencrypted transcribed note to the wrong e-mail address; accidentally sending it to her friend’s e-mail address, rather than the intended recipient at another doctor’s office? The ramifications of simple e-mail errors could cost you big.
Make it clear!
Have all new hires (and existing staff, including your physician peers) sign off on an E-mail Use and Abuse Policy. Use any Internet search engine to track down free example policy documents that you can then fine tune for use in your own practice. I would even suggest having the document reviewed by your attorney. Often, staff seem to feel more of a sense of accountability when they have signed off on a specific policy, rather than it simply being part of an employee handbook they may never fully read.
Some general guidelines
Thanks to HIPAA and increasing awareness regarding general Internet security concerns, many technology-savvy physicians and staff are aware that caution is the name of the game. While HIPAA does not specify a particular technology tool for securing e-mail communications, users can to protect themselves by following a few simple rules:
Perhaps your practice finds it to be an acceptable risk to send a list of patient names awaiting operating room scheduling to the local hospital via encrypted e-mail. Your documents should be specific enough to define that this is acceptable if encrypted, but not acceptable if sent unencrypted.
Use of “free” e-mail solutions
In a small office, an e-mail server is often considered too expensive or impractical, and the office will instead use free Web mail services, such as Gmail, Hotmail, Yahoo Mail, or something similar. While these free Web mail services may work well for personal use, they can pose some risks.
Use of a Web mail service will limit your ability as an owner or administrator to control individual e-mail accounts, as you could with a corporately owned e-mail server. In the event a staff member leaves the company, you have no way to reset the password to the e-mail box of the Web mail service, and you may find yourself at the mercy of your ex-employee. If the employee’s parting was amicable, you may have less of an issue.
If, however, the employee was terminated, or otherwise severed their employment agreement under a dark cloud, you risk never having access to that e-mail box again. This could mean you have limited means of notifying anyone (including patients … eek!) who may have communicated with you via that e-mail address, that it is no longer a valid means of communicating with your office.
Encryption: Securing e-mail in transit
At least with the post office when you send something, it is protected from prying eyes by an envelope that hides the contents from the outside world while in transit. Unfortunately, standard plain text e-mail doesn’t always afford this luxury in terms of security. Talk to your local IT support resource about use of e-mail encryption solutions that offer enhanced security to wrap your e-mail messages within, protecting the message contents from prying eyes.
Using these suggestions, you can begin to construct your practice’s e-mail policies. The sooner you begin, the sooner your greatest assets will be better protected.
Jonathan McCallister is a client-site IT manager for a major healthcare consulting firm, and he is currently assigned to a 140-physician practice. He has worked in healthcare IT management for more than eight years and in general IT management for more than a decade. He can be reached via firstname.lastname@example.org.
This article originally appeared in the October 2008 issue of Physicians Practice.