This article will cover ensuring HIPAA compliance in electronic communications and preventing the transmission of protected health information via email and support tickets.
Summary: When submitting support tickets, please do not include patient names or initials, dates of birth, or any other identifying information that could be used to identify a patient outside of the Summit software. If you need to refer to a specific patient Patient ID number. This includes in screenshots from within Summit, pay close attention to the background of screenshots for potential PHI. If you feel that you cannot submit a ticket without providing this information, please call the support line instead.
Maintaining HIPAA compliance, and ensuring the proper handling of protected health information is of the utmost importance. As a Business Associate of Covered Entities, Xtract Solutions takes HIPAA compliance seriously not only because it is federal law, but also because it is the right thing to do to ensure proper patient care and privacy. Additional HIPAA documentation and policies can be found HERE , but this article will focus on what can and cannot be sent via various electronic communication methods (primarily Freshdesk tickets generated via email or support widget, but also direct emails to Xtract employees, and to a lesser extent text messages and shared images).
If your organization has a secure messaging system that is fully HIPAA compliant, certain additional pieces of information can be shared and you should refer to their compliance policies. This document will assume you do not have a compliant secure messaging service.
Patient Information
Above is an example of the patient header. When accessing any patient in Summit, you should be able to see this header. While there are some variations in the information contained in the header based on your configuration, for the purposes of this article the scope is the same.
Certain elements of PHI are considered easily identifiable and should never be included in electronic correspondence such as: patient names (any combination of last name, first name, or initials), date of birth, age, gender/sex, and patient photo. When in doubt, any piece of information that could be used to potentially determine the patient's identity without access to Summit should never be included in correspondence. If you have a situation where you do not believe a resolution is possible without providing this information, call our support line instead as there are different standards for what can be disclosed over the telephone and different associated policies for keeping and disposing of this sort of data.
When providing patient information in communication, the approved form of identifying information is the patient's Patient ID number. A patient's Patient ID is unique to the Summit software and is not considered to be PHI as it is uniquely created by Summit and can't be used to identify a patient without access to Summit. While you can't search for a patient by their Patient ID number, you can pull up a patient by entering a known Patient ID. In rare situations, clarification may be required and may need further correspondence, but in the vast majority of cases a Patient ID should be sufficient.
Screenshot Best Practices
While screenshots and other visuals can be vital to diagnosing and resolving issues that might arise within Summit, it is important to remember to not include any protected health information in the screenshot. Below are some example of incorrect screenshots with the corrections provided below.
Incorrect: In the image below, the patient's full name and age are visible in the background of the screenshot.
Correct: Here, a screenshot of only the error window, a screenshot not including the demographic data found in the patient header, or a copy of the text of the error message would all be acceptable.
This next example includes multiple pieces of information but only one that should not be shared if necessary via electronic means. The Prescription Order Summary window shows an order number, a provider, information about the prescription in the order, the prescription number, dilution information, mix information and the patient's name. Incorrect: The patient's name is something that cannot be included in an electronic correspondence because of protected health information (though the other's should be avoided unless there is a specific purpose for including the information).
Correct: In this case the patient's name could have been cropped out of the screenshot and not included.
In some tables throughout Summit, protected health information is visible by default as it's required for normal operations, but would not be appropriate to include in electronic communications.
Incorrect: In the example below, the patient's name and date of birth are both visible, which should never be included screenshots or other communication.
Correct: Here, you could select the choose columns dropdown to remove the columns with the information that shouldn't be included before taking a screenshot. Depending on the situation, a MRN and/or prescription number should be adequate to allow someone from the Xtract support team to assist you without giving out unnecessary protected information.
Balancing Act
There is always a balancing act between providing enough information to have an issue resolved and not providing unnecessary information or information that cannot be shared via a non-secured medium. If you are ever in doubt on if a piece of information can be transmitted, or you feel you are unable to properly describe an issue without including this information, a phone call to the support line is probably the right answer.
While we do have practices in place for sanitizing and removing correspondence that contains PHI, it is in everyone's best interest to no include unnecessary or unpermitted PHI in all support tickets and emails. As a reminder, patient names and dates of birth should never be included and patients should instead be referred to by Patient ID.If there is a situation where a piece of PHI is necessary for a support function, please provide that information via a telephone call. Depending on the nature and the volume of PHI contained in correspondence, we may be required to securely delete the email/ticket in question and instruct you to resend your support request with the PHI removed.