Category: Privacy

Date: June 2012

Reviewed/Revised: April 2013

Policy

Protected health information may be transmitted electronically under limited circumstances when the use or disclosure is permitted in accordance with Authorization to Disclose or Use Protected Health Information and reasonable and appropriate security measures are implemented.

Procedure

The following security measures must be followed:

  • Electronic messages containing protected health information may only be sent or received with a device that has been secured in compliance with EVMS Medical Group security policies and procedures.
  • Protected health information must be limited to the minimum necessary for the permitted purpose.
  • Highly sensitive protected health information (for example, mental health, substance abuse or HIV information) should be transmitted only in exceptional circumstances.
  • Protected health information may only be sent by email after the recipient’s address has been carefully verified.
  • Electronic messages containing protected health information must include a privacy statement notifying the recipient of the insecurity of electronic messaging and providing a contact to whom a recipient can report a misdirected message.

The measures listed above are sufficient for the transmission of encrypted information. In addition, information which is not encrypted may only be exchanged in the following circumstances:

  • The electronic message contains information urgently needed for patient care and the patient identifiers are limited to name, date of birth, medical record number.
  • The electronic message is needed in a timely manner for the benefit of the patient; contains no highly sensitive protected health information; and contains none of the following direct identifiers: name, street address, SSN, date of birth, age if over 89, phone number or patient email address.