Should Providers Send Patient Information By Email

1
Should Providers Send Patient Information By
E-mail?

• Gail Graham
• David Douglas, MD
• Gail Belles
• Stephania Putt

2
Objectives

• This HIM-sponsored class reviews the risks and
  benefits of sending patient information by e-mail
  including technical, security, legal, and
  practical issues.

3
AGENDA

• Introduction, Background, Communication Medical
  Records (Gail Graham, David Douglas)
• Current use of e-mail to send PHI, CPRS
  Alternatives to e-mail, Clinician communication
  needs (David Douglas)
• Overview of e-mail transmission, Security Risks
  of e-mail, VA Policy, Near and Long Term
  Solutions (Gail Belles)
• Privacy Presentation (Stephania Putt)
• Summary
• QA

4
INTRODUCTION

• Title Should Providers Send Patient Information
  By E-mail?
• Level 100
• Class Type Lecture
• Class Length 120 Minutes on Tuesday 90 Minutes
  on Wednesday
• Class Number 106 Should Providers Send Patient
  Information By E-mail?
• Day/Time Tuesday Afternoon 120 minutes
  Wednesday Afternoon 90 minutes
• Class Description This Health Information
  Management sponsored class reviews the risks and
  benefits of sending patient information by e-mail
  including technical, security, legal, and
  practical issues.
• Faculty David Douglas, Gail Belles, Stephania
  Putt, Gail Graham

5
Background

• E-mail is ubiquitous in modern business and this
  extends to health care.
• E-mail enables numerous efficiencies but also
  introduces risks.
• VA has become dependent on e-mail for business
  needs but must carefully manage the use of this
  communication medium so as to protect patient
  privacy and comply with laws, regulations, and
  policy.
• Purpose of this class is to review the risks and
  benefits of sending patient information by e-mail
  including technical, security, legal, and
  practical issues.

6
VHA Incident Reporting RatiosDecember 2006
July 20, 2007
Email violation sending PHI via VA network
unencrypted.
7
Examples

• A problem with system configuration at one
  facility caused unencrypted messages containing
  PHI to be emailed to providers with email
  addresses outside va.gov
• An improper exchange of employee performance data
  between a supervisor and union representative
  caused work documents containing names and SSNs
  of numerous veterans to be transmitted
  unencrypted and without a need to know by union
  representative.

8
Communication andThe Medical Record

• Definition A medical record, health record, or
  medical chart is a systematic documentation of a
  patient's medical history and care.
• Purpose The medical record also serves as a
  basis for planning patient care, documenting
  communication between the health care provider
  and any other health professional contributing to
  the patient's care, and documenting the care
  and services provided to the patient.

• Wikipedia

9
History of the Medical Record

• Early 20th cent Medical Record was primarily a
  documentation medium
• 2 developments led the medical record to become a
  communications medium
• Change in Dr-Patient relationship
• Expansion of Team Care

Medical Care Law Ch 7 Richardson Rathbun
10
Medical Record as a Communication Medium

• 3 primary uses
• Rapid access to recent information on a patients
  condition
• Ensuring continuity of care
• Audit tool to assess quality of care

Medical Care Law Ch 7 Richardson Rathbun
11
7 Key Capabilities of an Electronic Health
Record Systemwww.iom.edu

• Health Information Data
• Result Management
• Order Management
• Decision Support

• Electronic Communication Connectivity
• Patient Support
• Administrative Processes

12
Electronic Communication and Connectivity

• Electronic communication tools, such as e-mail
  and web messaging, have been shown to be
  effective in facilitating communication both
  among providers and with patients, thus allowing
  for greater continuity of care (Balas et al.,
  1997 Liederman and Morefield, 2003 Worth and
  Patrick, 1997) and more timely interventions
  (Kuebler and Bruera, 2000).

www.iom.edu
13
Lit Review Clinicians and E-mail

• e-mail consultation in health care Car and
  Sheikh point out that e-mail use has grown in
  medicine without the necessary infrastructure to
  address security issues.
• On Call and Online Spielberg compares e-mail
  with other communications media noting that
  e-mail may become part of the permanent medical
  record.

14
Lit Review Clinicians and E-mail

• Legal Issues Concerning Electronic Health
  Information Hodge et al describe benefits of
  e-mail coupled with risk to patient privacy.
• e-Risk Guidelines Online communications must
  include privacy and security provisions.
  Providers and patients must understand privacy
  and security risks.

15
Lit Review Clinicians and E-mail

• Secure e-mail messaging for the Health Care
  Industry White paper calls for secure e-mail as
  a more efficient means of provider-provider
  communication.
• HIPAA Email Security Management in Email
  Communications White paper notes value from
  electronic communication in health care but
  requires risk analysis and mitigation.

16
Lit Review Clinicians and E-mail

• Use of e-mail curbside consultation Bergus et al
  report Family Practitioners and Consultants
  highly satisfied with e-mail consult service.
• Curbing the curbside consult Dyer cautions that
  online consultation may not be a formally
  peer-reviewed or evidence based clinical
  resource.

17
How is PHI currently being sent via e-mail?

• Provider-Provider communication
• Curbside Consultation
• Discuss Diagnosis and treatment
• Provider-Ancillary Staff communication
• Scheduling
• Transportation
• Care Coordination
• VISN and VACO communication
• Congressional Complaints
• HINQ requests

18
How is PHI currently being sent via e-mail?

• EPRP Reviews
• Medical Record delinquency notices
• Medical Record error notification
• Death notices
• Ward Secretary Communication
• Demographic Change notification
• Address
• Phone
• Next of Kin

19
How is PHI currently being sent via e-mail?

• Inter-ward transfer coordination
• Social Work assistance
• Lodging coordination
• Assistance with scheduling a test, procedure, or
  operation
• Debugging Vista errors such as Results reporting
• Many, many other examples

20
Advantages of sending PHI via E-mail

• Asynchronous communication
• More efficient than phone or FAX
• Creates a searchable record
• Can be Latered
• Message can be crafted on your time and your
  schedule.
• Dialog not suited for progress notes or clinical
  documents
• Allows communication with recipients outside VA
  including Congressional Offices and VA Business
  Partners
• Can include attachments or parts of other e-mail
  strings.

• Shipley/Schwalbe

21
Disadvantages of Sending E-mail

• SPAM
• Difficult medium for resolving complex, delicate,
  or emotionally charged issues
• Searchable record
• Forwarding and addressing errors
• Can be sent/forwarded to larger audience than
  those with need to know

Shipley/Schwalbe
22
CPRS alternatives to sending PHI via E-mail

• Clinical Documents
• Additional Signer
• Intra-facility consults
• Inter-facility consults
• Non-Visit Consults
• Add a Comment
• Orders
• Notifications and View Alerts

23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
CPRS Notifications
32
Some e-mail risks

• E-mail may be accidentally auto-forwarded to
  non-VA e-mail systems
• E-mail may be forwarded to a mailgroup or
  distribution list
• Recipient selection errors
• Providers may treat progress notes like e-mail
• Printed email containing protected health
  information (PHI) may be vulnerable to
  unauthorized access or inappropriate disposal
  (recycle bins vs. locked shredder bins)

33
Auto-forwarding

• Select MailMan Menu Option PP Personal
  Preferences
• Select Personal Preferences Option ?
• GML Enroll in (or Disenroll from) a Mail Group
• Personal Mail Group Edit
• Forwarding Address Edit
• Select Personal Preferences Option Forwarding
  Address Edit
• FORWARDING ADDRESS
• How likely is it that PHI will be auto-forwarded
  across the internet?
• Per Mr. McFarlands memo dated May 24, 2004
  entitled Limits on the Use of Certain E-mail
  Features and Configurations, auto-forwarding of
  e-mail to an address outside of VA is not
  acceptable.

34
Mailgroups

• Select MailMan Menu Option s Send a Message
• Subject please reschedule appt
• Send mail to DOUGLAS,DAVID M// G.MH
• 1 MH CONSULT
• 2 MH P2 (64 employees)
• 3 MH P2 SCHED APPT (3 admin support
  staff)
• How likely is it that a message intended for the
  3 scheduling staff will get misdirected (and
  amplified) to the entire 64 member MH P2
  mailgroup?

35
Recipient Selection Errors

• Send mail to // ZZTEST-EMPLOYEE, ONE
• 1 ZZTEST-EMPLOYEE, ONE FACILITIES
  MANAGEMENT SVC - V
• Last used MailMan 07/06/07_at_1509
• 2 ZZTEST-EMPLOYEE, TWO PRIMARY CARE DIVISION
• Last used MailMan 07/20/07_at_1526
• Leave Jun 18-19, 2007.
• How likely is it that FMS employee will receive
  e-mail intended for the Primary Care Physician?

36
What if the earlier example were written in the
form of an e-mail?
37
(No Transcript)
38
Progress notes are not e-mail
39
Dont put in e-mail anything you wouldnt say in
front of the patient

• "Patient suffers from paranoia""Vexatious
  complainant""Reads too many textbooks""Keeps a
  filthy house""Alcoholic""Drug abuser""Suffers
  from memory lapses""Over anxious""In need of
  psychiatric help""Imaginary symptoms"

"Symptoms over exaggerated""Dysfunctional
family""Munchausen type syndrome""All in the
mind""Work shy""I dont believe she is mentally
ill in the ordinary sense of the word""Not
easily managed""Laxative abuser"

• Sufferers of Iatrogenic Neglect

40
Non-CPRS Alternative Communications(These carry
their own risks)

• Letters or Hard Copy Documents
• FAX
• Secure network folders
• De-identified e-mail
• Text or Instant Messaging
• In-Person Communication
• Silence

41
(No Transcript)
42
Secure Network Folders require significant
administrative support
43
Text Messaging
44
(No Transcript)
45
De-Identified e-mail can take on the appearance
of Ive Got a Secret

• Select Provider Menu Option Mailman Menu
• VA MailMan 8.0 service for DOUGLAS.DAVID_M_at_PORTLAN
  D.MED.VA.GOV
• You last used MailMan 07/22/07_at_0924
• You have no new messages.
• Select MailMan Menu Option S Send a Message
• Subject PLEASE CALL TRANSPORTATION
• The veteran that we were talking about this
  morning needs medical transport to OHSU at 1130.
  Can you please set this up?

46
(No Transcript)
47
The Patient Advocate Tracking System (PATS) is
one of the first applications to be developed in
the current VistA Migration effort. The Migration
initiative is designed to modernize Veterans
Health Administration's (VHA) information
technologies, to better serve the current needs
of patients, medical providers, facility staff,
and VHA leadership. It will provide beneficial
new features, greater ease of use, easier
maintainability, enhanced system performance, and
increased availability and consistency of data
across the VHA network.
48

• The VistA Patient Representative Tracking System
  has been replaced by the Patient Advocacy
  Tracking System (PATS).
• Whereas you used to receive Alerts in CPRS, to
  respond to a Patient Complaint or view a
  Compliment, you will now receive a link in your
  Outlook e-mail.

49

• These Outlook e-mail notifications are known as
  Action Request Notifications (ARNs). These will
  be either informational emails (FYI) or action
  required emails.  FYIs are just that, no action
  is required or we have already solved it. The
  action required emails will have short statements
  defining the case and a statement from the
  Patient Advocate asking for a specific item from
  you.   

50
(No Transcript)
51
Use CPRS Access and Verify Codes
52
After you log in it should either take you to a
Informational Notification (FYI) of the ROC or
the action Item required.
FYI
53
Click Add. Result Your comment is added to the
Additional Comments section and a message
displays at the top of the page The advocate
has been notified that a comment has been added.
Your comment is displayed below. You may close
the browser. After the comments display in the
Additional Comments section, the employee clicks
Log off.
Log Off
54
VHA HANDBOOK 1003.4

• b. Patients Must Have Their Complaints Addressed
  in a Timely Manner
• (1) There must be sufficient staffing devoted
  to the Patient Advocacy Program to ensure timely
  resolution of complaints, identification and
  resolution of system issues, and tracking,
  trending and reporting to appropriate areas.
  Response to complaints occurs as soon as
  possible, but no longer than 7 days after the
  complaint is made. Should the complaint require
  more than 7 days, staff are responsible for
  continuously updating the patient on the status
  of the complaint and/or resolution. NOTE
  Privacy complaints are to be processed in
  accordance with VHA Handbook 1605.1, Privacy and
  Release of Information.

55
Clinician Needs

• Role based messaging built into CPRS
• Ability to securely communicate outside clinical
  documents
• Auditing capabilities
• Latering
• Delivery, Read Confirmation and the BOOMERANG
  safety feature.
• Transparent security
• Transparent e-discovery assurance
• Ability to securely communicate to non-VA
  providers

56
Mail To Functionality linked to CPRS Progress
Notes

• Message directs recipient to the CPRS Note rather
  than copying its contents.
• Message contains minimum necessary information
• Comments functionality allows dialog outside of
  CPRS.
• Message can be
• Latered
• Set up for Read Receipt
• Copied to Senders Inbox
• Made Priority
• Made Information Only

57
(No Transcript)
58
(No Transcript)
59
(No Transcript)
60
Overview of E-Mail Transmissions

• Secure Network Transmissions
• Vista MailMan
• VistA Directive and Waiver
• Attachmate
• Microsoft Office Outlook
• Public Key Infrastructure (PKI)
• Rights Management Services (RMS)
• Exchange Email Archive Services (EAS)
• Outlook Web Access (OWA)
• Virtual Private Network (VPN) Remote Access
• Remote Enterprise Security Compliance Update
  Environment (RESCUE)
• Internet Gateway Secure Email

61
Security Risks of Email

• Authenticity
• Clear text transmission
• Role of intermediate ISPs, servers and routers
• Multiple copies and backups paper and
  electronic
• Data mining
• Physical and virtual eavesdropping
• Compromised passwords
• Erroneous addresses
• Forwarding and amplification
• Can be used as evidence in court
• Attachments viruses and worms

62
VA Policies/Directives

• VA Directive 6001, Limited Personal Use of
  Government Equipment Including Information
  Technology, July 2000
• VA Directive 6103, VA Electronic Mail System,
  March 1998
• VA Directive 6213, VA Public Key Infrastructure,
  June 2001
• VA Directive 6301, Electronic Mail Records, April
  1997
• VA Directive 6500, Information Security Program,
  August 2006
• VA Directive 6504, Restriction on Transmission,
  Transportation and Use of and Access to VA Data
  Outside VA Facilities, June 2006
• VA Memorandum, Limits on the Use of Certain
  E-mail Features and Configurations, May 2004
• IT Directive 06-5, Use of Personal Computing
  Equipment, October 2006

63
Email Policy Requirements Distilled

• Certain VA email systems are subject to the
  Privacy Act
• Email will be used where it provides a
  cost-effective means for employees to conduct
  official business and improve delivery of
  services to veterans
• Email messages are records when they are made by
  VA under Federal law or in connection with public
  business and are preserved or are appropriate
  for preservation as evidence ofbecause of the
  information value of the data in them.
• VA will establish and maintain a comprehensive
  program to provide cost-effective security
  controls needed to protect VA information, in any
  media or format, and VA information systems.

64
Email Policy Requirements Distilled

• VA employees are permitted to transport,
  transmit, access and use VA data outside VA
  facilities only when such activities have been
  specifically approved by the employees
  supervisor and where appropriate security
  measures are taken to ensure that VA information
  and services are not compromised.
• Auto-forwarding of email messages to addresses
  outside the VA network is prohibited restriction
  enforced through software modifications and/or
  configuration changes at the email gateways
• Use of VA GFE or OE in a mobile environment
  (laptop, PDA) and VA PI is stored on the
  computer, file, or electronic storage media,
  approved encryption software must be used

65
Secure Network Transmissions

• Compliance with HIPAA and FISMA
• No clear text
• Encrypted data transmissions using FIPS 140-2
  certified client and server/host software
• Supports PKI infrastructure and smartcard devices
  for HSPD-12
• Enterprise procurement includes software
  licenses, engineering, training and maintenance

66
VistA MailMan

• Changes to infrastructure (RDPCs) impacts email
  transmissions
• Automated processes in VistA generate
  transmissions in clear text across wide area
  network (e.g., HL7 messaging, nightly
  transmissions to AAC, ETA data to PAID, HEC
  eligibility data)
• PHI transmitted across VA network must be
  encrypted
• PKI not compatible with VistA MailMan
• VHA waiver and associated VHA Directive 2007-003,
  Application of VistA Mailman

67
VistA MailMan Terminal Emulation

• Attachmate WRQ (KEA) provides a security solution
  by encrypting terminal emulation sessions
  end-to-end (SSH)
• Build encrypted tunnels for non-secure
  applications
• Protect sensitive file transfers
• Maintain system compatibility with security
  standards
• Leverage existing authentication and
  authorization methods
• Safeguard remote access to enterprise
  applications
• Secure remote administration of critical servers
• Simplify password management and cut help desk
  calls

68
Microsoft Office Outlook - PKI

• User Certificates secure electronic mail,
  digital signatures
• Server Certificates server authentication and
  encrypted sessions for web servers
• VA Partner Certificates (email addresses
  outside VA network)
• GSAs ACES (Access Certificates for Electronic
  Services)

69
Microsoft Office Outlook PKI Challenges

• Auto-enrollment
• Certificate Exchange
• Training and Compliance
• Point Solutions (RMS vs. PKI)

70
Microsoft Office Outlook PKI Improvements

• Unified Authentication for Windows (auto
  enrollment)
• Draft user documentation completed
• Piloting with limited user base at Hines began
  6/25
• Planned deployment in October
• PKI Infrastructure Rebuild
• Provides failover and redundancy
• 3 sites
• PKI user certificates
• 120K procurement award by September

71
Microsoft Office OutlookPKI Resources

• Local Registration Authorities (LRAs)
• PKI Helpdesk 1-866-407-1566, Option 4 or email
• PKI web site

72
Microsoft Office Outlook Rights Management
Services (RMS)

• Augments existing technologies to provide
  persistent protection
• Enforces organizational policies
• Provides a platform for value-added solutions

73
Microsoft Office Outlook Rights Management
Services (RMS)

• Do-Not-Forward Email
• Requires Outlook 2003 RMS
• Reduces internal/external forwarding of
  confidential information
• Keeps sensitive email where it belongs
• Protect Sensitive Files
• Word 2003 Control access to sensitive content
• Excel 2003 Set granular permissions per user
• PowerPoint 2003 Determine length of access
• Communicate in a Mixed Version Environment
• Rights Management Add-on for IE (RMA)
• Users without Office 2003 can view
  rights-protected files via Internet Explorer
• Does not provide authoring capability

74
Microsoft Office OutlookRMS Deployment

• Deployment in progress (scheduled deployment
  across all VISNs and Program Offices by 8/30/07)
• Web-based training materials
• Blackberry integration
• Architecture
• Redundant and disaster tolerant

75
Microsoft Office Outlook Exchange Email Archive
Services (EAS)

• Business necessity driven by compliance with
  policy, discovery and oversight
• Over 45K users currently using EAS across VA
• Procurements for expansion across VA in process
• Architecture will mirror final architecture for
  regionalization of Exchange

76
Microsoft Office Outlook PKI vs. RMS

• PKI will be phased out for internal use once RMS
  is fully deployed and operational across VA
• PKI will still be used for external
  communications since RMS doesnt provide that
  capability

77
Microsoft Office Outlook Outlook Web Access
(OWA)

• Provides web-based public access to Microsoft
  Exchange Server public folders and address book
• Access via https//webmail.va.gov/exchange/
• Provides point and click access to the most
  popular features of OWA (create, reply, forward,
  check for new mail, search, move or copy, delete)

78
VPN Remote Access Challenges

• Current architecture cannot enforce requirements
  of VA Directive 6504 and other Federal
  requirements for remote access
• Risk imposed by remote users for safeguarding VA
  data
• GFE versus OE

79
Remote Enterprise Security Compliance Update
Environment (RESCUE)

• Enforces compliance
• Virus protection
• Microsoft patches
• Firewall
• Connection options
• VA-owned equipment (GFE)
• Non-VA owned equipment (OE)
• Contractor
• Personally-owned

80
Remote Enterprise Security Compliance Update
Environment (RESCUE)

• GFE Host Check
• Device is member of va.gov domain
• Device is encrypted
• GFE Integrity Check
• Device has anti-virus (AV) software installed
  (McAfee)
• Device has VA HIPS software installed (Real
  Secure or Proventia)
• Remediation compliance check
• Is AV signature file current if not remediate
• Does device have minimum critical OS patch
  installed if not remediate (minimum acceptable
  for pilot is SP2)
• Other checks to be determined

81
Remote Enterprise Security Compliance Update
Environment (RESCUE)

• OE
• Limits connection to virtual desktop
• Cant save/print on local machine
• Permits saving on VA network shares
• Malicious code protection
• Cache Cleaner clears cache prior to session
  disconnect
• Required connection type for use by all OE
• Available for GFE
• Minimal host integrity checks enforced (AV and
  Firewall)
• Requires administrator rights on local machine
• Prevents access from most kiosk environments

82
Internet Gateway Secure Email
Privacy Violations Report Beginning June-07
83
Internet Gateway Secure Email Challenges/Solutions

• Need to transmit SSNs to White House/Congressional
  staff prior to testifying
• Encrypted pipe between VA and White House mail
  servers
• Cant distinguish between personal SSN versus and
  SSN of veterans and employees
• Policy prohibits transmission of SSNs in clear
  text
• Distinguishing SSNs of deceased veterans (NCA)
• NARA submissions dont require filtering per SSA
• NARA added to exception list
• Contract s and job announcements formatted like
  SSNs
• Addressing issues on a case-by-case basis
• Test SSN data
• 666 and 000 added to exception list

84
Privacy Problems with E-mail(wikipedia)

• Main article e-mail privacy
• E-mail privacy, without some security
  precautions, can be compromised because
• e-mail messages are generally not encrypted
• e-mail messages have to go through intermediate
  computers before reaching their destination,
  meaning it is relatively easy for others to
  intercept and read messages
• many Internet Service Providers (ISP) store
  copies of your e-mail messages on their mail
  servers before they are delivered. The backups of
  these can remain up to several months on their
  server, even if you delete them in your mailbox
• the Received headers and other information in
  the email can often identify the sender,
  preventing anonymous communication.
• There are cryptography applications that can
  serve as a remedy to one or more of the above.
  For example, Virtual Private Networks or the Tor
  anonymity network can be used to encrypt traffic
  from the user machine to a safer network while
  GPG, PGP or S/MIME can be used for end-to-end
  message encryption, and SMTP STARTTLS or SMTP
  over Transport Layer Security/Secure Sockets
  Layer can be used to encrypt communications for a
  single mail hop between the SMTP client and the
  SMTP server.
• Another risk is that e-mail passwords might be
  intercepted during sign-in. One may use encrypted
  authentication schemes such as SASL to help
  prevent this.

85
Privacy and Legal Issues for Provider to Provider
E-mail Communications

• VHA Handbook 1907.01 Guidance
• Medico-legal Issues
• Privacy Act Implications
• System of Records (SOR) Issues
• E-Mail Retention
• FOIA
• E-discovery
• HIPAA Implications

86
VHA Handbook 1907.01

• e. Provider to Provider E-mail Communication
• (1) Electronic mail and information messaging
  applications and systems can only be used for
  authorized government purposes and must contain
  only non-sensitive information unless the data,
  and are protected with a VA-approved encryption
  mechanism.
• (2) For Outlook/Exchange mail, the Office of
  Cyber and Information Security (OCIS) issues
  Public Key Infrastructure (PKI) certificates to
  encrypt communications between a sender and
  receiver. NOTE Personnel must follow the
  national PKI policies and procedures issued by
  005. Requests for PKI certificates are to be
  directed to the local ISO, who typically serves
  as the Local Registration Authority (LRA) for
  VAPKI deployment.
• NOTE Provider to Patient e-mail communications
  are not covered in this policy.

87
Medico-legal Issues

• Any e-mail documenting care would have to be made
  part of the official VA medical record through
• Scanning
• Re-entry of the information into a Progress Note
  or
• Some other mechanism (e.g., paper).
• E-mails are not currently part of the Patient
  Medical Record-VA (24VA19) Privacy Act system of
  records

88
Privacy Act Implications

• System of Records (SOR) Issues
• VistA Mailman messages covered by VistA
  (79VA19) SOR notice
• Veterans/Patients have a right to a copy of any
  e-mail in VistA that is retrievable by their name
• Messages must be retained in accordance with SOR
  notice
• MS Outlook e-mails are not covered by a SOR
  notice (Some e-mails are not even official VA
  records)
• E-mails sent via MS Outlook should NEVER contain
  the name of the veteran/patient in the subject
  line even when encrypted.

89
E-Mail Retention Guidance

• VA Handbook 6301, Policy and Procedures for
  Handling Electronic Mail Records
• Preserving Electronic Mail Messages Memo dated
  Dec. 23, 2004
• VA Notice 06-1, Final Rule on the Disposal of
  Transitory Email Records
• IL 19-2006-001 dated July 6, 2006

90
E-Mail Retention Federal Records

• Messages that support official VA business and/or
  convey valuable information on VAs mission are
  considered to be Federal records.
• E-mails documenting care or used to coordinate
  care for a specific patient would be official VA
  records.
• Ref. VA Handbook 6301

91
E-Mail Retention

• E-mails that are official VA records must be
  retained either in a recordkeeping system or in
  the e-mail system for the specified NARA
  retention period
• For example, an e-mail documenting the care teams
  discharge plans for a patient need to be placed
  in the medical record and retained for 75 years.
• Once the e-mail or information contained in the
  email has been placed in a recordkeeping system
  (e.g., CPRS), the e-mail may be deleted.
• Ref. NARA, General Records Schedule 20, Item 14

92
Freedom of Information Act (FOIA)

• As official VA records, e-mail messages including
  those without PHI are subject to FOIA and may be
  disclosed pursuant to a signed, written FOIA
  request.

93
E-discovery

• Electronic discovery (also called e-discovery or
  ediscovery) refers to any process in which
  electronic data is sought, located, secured, and
  searched with the intent of using it as evidence
  in a civil or criminal legal case.
• E-discovery can be carried out offline on a
  particular computer or it can be done in a
  network.
• Court-ordered or government sanctioned hacking
  for the purpose of obtaining critical evidence is
  also a type of e-discovery.

94
HIPAA Implications

• Any health information created by VHA health care
  providers is subject to the HIPAA Privacy Rule,
  even if not maintained in a Privacy Act SOR.
• Any e-mail in MS Outlook containing PHI must be
  appropriately safeguarded under the HIPAA Privacy
  and Security Rules until destroyed.

95
Summary

• Should providers send patient information via
• e-mail?
• Yes, BUT
• Not if CPRS is a better alternative
• Only via secure, VA-approved e-mail systems
• Only if disclosure is minimum necessary
• With understanding of the applicable e-mail
  retention requirements
• With understanding e-mail may be discoverable
• With common sense

96

• QA