950 likes | 1.35k Views
2. Objectives. This HIM-sponsored class reviews the risks and benefits of sending patient information by e-mail including technical, security, legal, and practical issues.. 3. AGENDA. Introduction, Background, Communication
E N D
1: 1 Should Providers Send Patient Information By E-mail? Gail Graham
David Douglas, MD
Gail Belles
Stephania Putt
2: 2
3: 3 AGENDA Introduction, Background, Communication & Medical Records (Gail Graham, David Douglas)
Current use of e-mail to send PHI, CPRS Alternatives to e-mail, Clinician communication needs (David Douglas)
Overview of e-mail transmission, Security Risks of e-mail, VA Policy, Near and Long Term Solutions (Gail Belles)
Privacy Presentation (Stephania Putt)
Summary
Q&A
4: 4 INTRODUCTION Title: Should Providers Send Patient Information By E-mail?
Level: 100
Class Type: Lecture
Class Length: 120 Minutes on Tuesday 90 Minutes on Wednesday
Class Number: 106 Should Providers Send Patient Information By E-mail?
Day/Time: Tuesday Afternoon 120 minutes Wednesday Afternoon 90 minutes
Class Description: This Health Information Management sponsored class reviews the risks and benefits of sending patient information by e-mail including technical, security, legal, and practical issues.
Faculty: David Douglas, Gail Belles, Stephania Putt, Gail Graham
5: 5 Background E-mail is ubiquitous in modern business and this extends to health care.
E-mail enables numerous efficiencies but also introduces risks.
VA has become dependent on e-mail for business needs but must carefully manage the use of this communication medium so as to protect patient privacy and comply with laws, regulations, and policy.
Purpose of this class is to review the risks and benefits of sending patient information by e-mail including technical, security, legal, and practical issues.
6: 6
7: 7 Examples A problem with system configuration at one facility caused unencrypted messages containing PHI to be emailed to providers with email addresses outside “va.gov”
An improper exchange of employee performance data between a supervisor and union representative caused work documents containing names and SSNs of numerous veterans to be transmitted unencrypted and without a “need to know” by union representative.
8: 8 Communication andThe Medical Record Definition: A medical record, health record, or medical chart is a systematic documentation of a patient's medical history and care.
Purpose: …The medical record also serves as a basis for planning patient care, documenting communication between the health care provider and any other health professional contributing to the patient's care, … and documenting the care and services provided to the patient.
Wikipedia
9: 9 History of the Medical Record Early 20th cent Medical Record was primarily a documentation medium
2 developments led the medical record to become a communications medium
Change in Dr-Patient relationship
Expansion of Team Care
10: 10 Medical Record as a Communication Medium 3 primary uses
Rapid access to recent information on a patients condition
Ensuring continuity of care
Audit tool to assess quality of care
11: 11 7 Key Capabilities of an Electronic Health Record Systemwww.iom.edu Health Information & Data
Result Management
Order Management
Decision Support Electronic Communication & Connectivity
Patient Support
Administrative Processes
12: 12 Electronic Communication and Connectivity Electronic communication tools, such as e-mail and web messaging, have been shown to be effective in facilitating communication both among providers and with patients, thus allowing for greater continuity of care (Balas et al., 1997; Liederman and Morefield, 2003; Worth and Patrick, 1997) and more timely interventions (Kuebler and Bruera, 2000).
13: 13 Lit Review: Clinicians and E-mail e-mail consultation in health care: Car and Sheikh point out that e-mail use has grown in medicine without the necessary infrastructure to address security issues.
On Call and Online: Spielberg compares e-mail with other communications media noting that e-mail may become part of the permanent medical record.
14: 14 Lit Review: Clinicians and E-mail Legal Issues Concerning Electronic Health Information: Hodge et al describe benefits of e-mail coupled with risk to patient privacy.
e-Risk Guidelines: Online communications must include privacy and security provisions. Providers and patients must understand privacy and security risks.
15: 15 Lit Review: Clinicians and E-mail Secure e-mail messaging for the Health Care Industry: White paper calls for secure e-mail as a more efficient means of provider-provider communication.
HIPAA Email Security Management in Email Communications: White paper notes value from electronic communication in health care but requires risk analysis and mitigation.
16: 16 Lit Review: Clinicians and E-mail Use of e-mail curbside consultation: Bergus et al report Family Practitioners and Consultants highly satisfied with e-mail consult service.
Curbing the curbside consult: Dyer cautions that online consultation may not be a “formally peer-reviewed or evidence based clinical resource.”
17: 17 How is PHI currently being sent via e-mail? Provider-Provider communication
Curbside Consultation
Discuss Diagnosis and treatment
Provider-Ancillary Staff communication
Scheduling
Transportation
Care Coordination
VISN and VACO communication
Congressional Complaints
HINQ requests
18: 18 How is PHI currently being sent via e-mail? EPRP Reviews
Medical Record delinquency notices
Medical Record error notification
Death notices
Ward Secretary Communication
Demographic Change notification
Address
Phone #
Next of Kin
19: 19 How is PHI currently being sent via e-mail? Inter-ward transfer coordination
Social Work assistance
Lodging coordination
Assistance with scheduling a test, procedure, or operation
Debugging Vista errors such as Results reporting
Many, many other examples…
20: 20 Advantages of sending PHI via E-mail Asynchronous communication
More efficient than phone or FAX
Creates a searchable record
Can be Later’ed
Message can be crafted on your time and your schedule.
Dialog not suited for progress notes or clinical documents
Allows communication with recipients outside VA including Congressional Offices and VA Business Partners
Can include attachments or parts of other e-mail strings. Shipley/Schwalbe
21: 21 Disadvantages of Sending E-mail SPAM
Difficult medium for resolving complex, delicate, or emotionally charged issues
Searchable record
Forwarding and addressing errors
Can be sent/forwarded to larger audience than those with “need to know”
22: 22 CPRS alternatives to sending PHI via E-mail Clinical Documents
Additional Signer
Intra-facility consults
Inter-facility consults
Non-Visit Consults
Add a Comment
Orders
Notifications and View Alerts
23: 23
24: 24
25: 25
26: 26
27: 27
28: 28
29: 29
30: 30
31: 31 CPRS Notifications
32: 32 Some e-mail risks… E-mail may be accidentally auto-forwarded to non-VA e-mail systems
E-mail may be forwarded to a mailgroup or distribution list
Recipient selection errors
Providers may treat progress notes like e-mail
Printed email containing protected health information (PHI) may be vulnerable to unauthorized access or inappropriate disposal (recycle bins vs. locked shredder bins)
33: 33 Auto-forwarding Select MailMan Menu Option: PP Personal Preferences
Select Personal Preferences Option: ?
GML Enroll in (or Disenroll from) a Mail Group
Personal Mail Group Edit
Forwarding Address Edit
Select Personal Preferences Option: Forwarding Address Edit
FORWARDING ADDRESS: <INSERT VA ADDRESS>
How likely is it that PHI will be auto-forwarded across the internet?
Per Mr. McFarland’s memo dated May 24, 2004 entitled “Limits on the Use of Certain E-mail Features and Configurations”, auto-forwarding of e-mail to an address outside of VA is not acceptable.
34: 34 Mailgroups Select MailMan Menu Option: s Send a Message
Subject: please reschedule appt
Send mail to: DOUGLAS,DAVID M// G.MH
1 MH CONSULT
2 MH P2 (64 employees)
3 MH P2 SCHED APPT (3 admin support staff)
How likely is it that a message intended for the 3 scheduling staff will get misdirected (and amplified) to the entire 64 member MH P2 mailgroup?
35: 35 Recipient Selection Errors Send mail to: // ZZTEST-EMPLOYEE, ONE
1 ZZTEST-EMPLOYEE, ONE FACILITIES MANAGEMENT SVC - V
Last used MailMan: 07/06/07@15:09
2 ZZTEST-EMPLOYEE, TWO PRIMARY CARE DIVISION
Last used MailMan: 07/20/07@15:26
Leave Jun 18-19, 2007.
How likely is it that FMS employee will receive e-mail intended for the Primary Care Physician?
36: 36 What if the earlier example were written in the form of an e-mail?
37: 37
38: 38 Progress notes are not e-mail
39: 39 Don’t put in e-mail anything you wouldn’t say in front of the patient "Patient suffers from paranoia""Vexatious complainant""Reads too many textbooks""Keeps a filthy house""Alcoholic""Drug abuser""Suffers from memory lapses""Over anxious""In need of psychiatric help""Imaginary symptoms"
Sufferers of Iatrogenic Neglect
40: 40 Non-CPRS Alternative Communications(These carry their own risks) Letters or Hard Copy Documents
FAX
Secure network folders
De-identified e-mail
Text or Instant Messaging
In-Person Communication
Silence
41: 41
42: 42 Secure Network Folders require significant administrative support
43: 43 Text Messaging
44: 44
45: 45 De-Identified e-mail can take on the appearance of I’ve Got a Secret
Select Provider Menu Option: Mailman Menu
VA MailMan 8.0 service for DOUGLAS.DAVID_M@PORTLAND.MED.VA.GOV
You last used MailMan: 07/22/07@09:24
You have no new messages.
Select MailMan Menu Option: S Send a Message
Subject: PLEASE CALL TRANSPORTATION
The veteran that we were talking about this morning needs medical transport to OHSU at 11:30. Can you please set this up?
46: 46
47: 47
48: 48 The VistA Patient Representative Tracking System has been replaced by the Patient Advocacy Tracking System (PATS).
Whereas you used to receive Alerts in CPRS, to respond to a Patient Complaint or view a Compliment, you will now receive a link in your Outlook e-mail.
49: 49 These Outlook e-mail notifications are known as Action Request Notifications (ARNs). These will be either informational emails (FYI) or action required emails. FYIs are just that, no action is required or we have already solved it. The action required emails will have short statements defining the case and a statement from the Patient Advocate asking for a specific item from you.
50: 50
51: 51
52: 52 After you log in it should either take you to a Informational Notification (FYI) of the ROC or the action Item required.
53: 53
54: 54 VHA HANDBOOK 1003.4 b. Patients Must Have Their Complaints Addressed in a Timely Manner
(1) There must be sufficient staffing devoted to the Patient Advocacy Program to ensure timely resolution of complaints, identification and resolution of system issues, and tracking, trending and reporting to appropriate areas. Response to complaints occurs as soon as possible, but no longer than 7 days after the complaint is made. Should the complaint require more than 7 days, staff are responsible for continuously updating the patient on the status of the complaint and/or resolution. NOTE: Privacy complaints are to be processed in accordance with VHA Handbook 1605.1, Privacy and Release of Information.
55: 55 Clinician Needs Role based messaging built into CPRS
Ability to securely communicate outside clinical documents
Auditing capabilities
Latering
Delivery, Read Confirmation and the BOOMERANG safety feature.
Transparent security
Transparent e-discovery assurance
Ability to securely communicate to non-VA providers
56: 56 “Mail To” Functionality linked to CPRS Progress Notes Message directs recipient to the CPRS Note rather than copying its contents.
Message contains minimum necessary information
Comments functionality allows dialog outside of CPRS.
Message can be:
“Latered”
Set up for Read Receipt
Copied to Senders Inbox
Made Priority
Made Information Only
57: 57
58: 58
59: 59
60: 60 Overview of E-Mail Transmissions Secure Network Transmissions
Vista MailMan
VistA Directive and Waiver
Attachmate
Microsoft Office Outlook
Public Key Infrastructure (PKI)
Rights Management Services (RMS)
Exchange Email Archive Services (EAS)
Outlook Web Access (OWA)
Virtual Private Network (VPN) – Remote Access
Remote Enterprise Security Compliance Update Environment (RESCUE)
Internet Gateway Secure Email
61: 61 Security Risks of Email Authenticity
Clear text transmission
Role of intermediate ISPs, servers and routers
Multiple copies and backups – paper and electronic
Data mining
Physical and virtual eavesdropping
Compromised passwords
Erroneous addresses
Forwarding and amplification
Can be used as evidence in court
Attachments – viruses and worms
62: 62 VA Policies/Directives VA Directive 6001, Limited Personal Use of Government Equipment Including Information Technology, July 2000
VA Directive 6103, VA Electronic Mail System, March 1998
VA Directive 6213, VA Public Key Infrastructure, June 2001
VA Directive 6301, Electronic Mail Records, April 1997
VA Directive 6500, Information Security Program, August 2006
VA Directive 6504, Restriction on Transmission, Transportation and Use of and Access to VA Data Outside VA Facilities, June 2006
VA Memorandum, Limits on the Use of Certain E-mail Features and Configurations, May 2004
IT Directive 06-5, Use of Personal Computing Equipment, October 2006
63: 63 Email Policy Requirements Distilled
Certain VA email systems are subject to the Privacy Act
Email will be used where it provides a cost-effective means for employees to conduct official business and improve delivery of services to veterans
Email messages are records when they are made by VA under Federal law or in connection with public business; and are preserved or are appropriate for preservation as evidence of…because of the information value of the data in them.
VA will establish and maintain a comprehensive program to provide cost-effective security controls needed to protect VA information, in any media or format, and VA information systems.
64: 64 Email Policy Requirements Distilled VA employees are permitted to transport, transmit, access and use VA data outside VA facilities only when such activities have been specifically approved by the employee’s supervisor and where appropriate security measures are taken to ensure that VA information and services are not compromised.
Auto-forwarding of email messages to addresses outside the VA network is prohibited; restriction enforced through software modifications and/or configuration changes at the email gateways
Use of VA GFE or OE in a mobile environment (laptop, PDA) and VA PI is stored on the computer, file, or electronic storage media, approved encryption software must be used
65: 65 Secure Network Transmissions Compliance with HIPAA and FISMA
No clear text
Encrypted data transmissions using FIPS 140-2 certified client and server/host software
Supports PKI infrastructure and smartcard devices for HSPD-12
Enterprise procurement includes software licenses, engineering, training and maintenance
66: 66 VistA MailMan Changes to infrastructure (RDPCs) impacts email transmissions
Automated processes in VistA generate transmissions in clear text across wide area network (e.g., HL7 messaging, nightly transmissions to AAC, ETA data to PAID, HEC eligibility data)
PHI transmitted across VA network must be encrypted
PKI not compatible with VistA MailMan
VHA waiver and associated VHA Directive 2007-003, Application of VistA Mailman
67: 67 VistA MailMan – Terminal Emulation Attachmate WRQ (KEA) provides a security solution by encrypting terminal emulation sessions end-to-end (SSH)
Build encrypted tunnels for non-secure applications
Protect sensitive file transfers
Maintain system compatibility with security standards
Leverage existing authentication and authorization methods
Safeguard remote access to enterprise applications
Secure remote administration of critical servers
Simplify password management and cut help desk calls
68: 68 Microsoft Office Outlook - PKI
User Certificates – secure electronic mail, digital signatures
Server Certificates – server authentication and encrypted sessions for web servers
VA Partner Certificates – (email addresses outside VA network)
GSA’s ACES (Access Certificates for Electronic Services)
69: 69 Microsoft Office Outlook: PKI Challenges
Auto-enrollment
Certificate Exchange
Training and Compliance
Point Solutions (RMS vs. PKI)
70: 70 Microsoft Office Outlook: PKI Improvements Unified Authentication for Windows (auto enrollment)
Draft user documentation completed
Piloting with limited user base at Hines – began 6/25
Planned deployment in October
PKI Infrastructure Rebuild
Provides failover and redundancy
3 sites
PKI user certificates
120K procurement award by September
71: 71 Microsoft Office Outlook:PKI Resources
Local Registration Authorities (LRAs)
PKI Helpdesk: 1-866-407-1566, Option 4 or email
PKI web site
72: 72 Microsoft Office Outlook: Rights Management Services (RMS)
Augments existing technologies to provide persistent protection
Enforces organizational policies
Provides a platform for value-added solutions
73: 73 Microsoft Office Outlook: Rights Management Services (RMS) Do-Not-Forward Email
Requires Outlook 2003 & RMS
Reduces internal/external forwarding of confidential information
Keeps sensitive email where it belongs
Protect Sensitive Files
Word 2003: Control access to sensitive content
Excel 2003: Set granular permissions per user
PowerPoint 2003: Determine length of access
Communicate in a Mixed Version Environment
Rights Management Add-on for IE (RMA)
Users without Office 2003 can view rights-protected files via Internet Explorer
Does not provide authoring capability
74: 74 Microsoft Office Outlook:RMS Deployment
Deployment in progress (scheduled deployment across all VISNs and Program Offices by 8/30/07)
Web-based training materials
Blackberry integration
Architecture
Redundant and disaster tolerant
75: 75 Microsoft Office Outlook: Exchange Email Archive Services (EAS)
Business necessity driven by compliance with policy, discovery and oversight
Over 45K users currently using EAS across VA
Procurements for expansion across VA in process
Architecture will mirror final architecture for regionalization of Exchange
76: 76 Microsoft Office Outlook: PKI vs. RMS
PKI will be phased out for internal use once RMS is fully deployed and operational across VA
PKI will still be used for external communications since RMS doesn’t provide that capability
77: 77 Microsoft Office Outlook: Outlook Web Access (OWA) Provides web-based public access to Microsoft Exchange Server public folders and address book
Access via https://webmail.va.gov/exchange/
Provides point and click access to the most popular features of OWA (create, reply, forward, check for new mail, search, move or copy, delete)
78: 78 VPN – Remote Access Challenges
Current architecture cannot enforce requirements of VA Directive 6504 and other Federal requirements for remote access
Risk imposed by remote users for safeguarding VA data
GFE versus OE
79: 79 Remote Enterprise Security Compliance Update Environment (RESCUE) Enforces compliance
Virus protection
Microsoft patches
Firewall
Connection options
VA-owned equipment (GFE)
Non-VA owned equipment (OE)
Contractor
Personally-owned
80: 80 Remote Enterprise Security Compliance Update Environment (RESCUE) GFE Host Check
Device is member of va.gov domain
Device is encrypted
GFE Integrity Check
Device has anti-virus (AV) software installed (McAfee)
Device has VA HIPS software installed (Real Secure or Proventia)
Remediation compliance check
Is AV signature file current; if not – remediate
Does device have minimum critical OS patch installed; if not – remediate (minimum acceptable for pilot is SP2)
Other checks to be determined
81: 81 Remote Enterprise Security Compliance Update Environment (RESCUE) OE
Limits connection to virtual desktop
Can’t save/print on local machine
Permits saving on VA network shares
Malicious code protection
Cache Cleaner clears cache prior to session disconnect
Required connection type for use by all OE
Available for GFE
Minimal host integrity checks enforced (AV and Firewall)
Requires administrator rights on local machine
Prevents access from most kiosk environments
82: 82 Internet Gateway Secure Email
83: 83 Internet Gateway Secure Email Challenges/Solutions
Need to transmit SSNs to White House/Congressional staff prior to testifying
Encrypted pipe between VA and White House mail servers
Can’t distinguish between personal SSN versus and SSN of veterans and employees
Policy prohibits transmission of SSNs in clear text
Distinguishing SSNs of deceased veterans (NCA)
NARA submissions don’t require filtering per SSA
NARA added to exception list
Contract #s and job announcements formatted like SSNs
Addressing issues on a case-by-case basis
Test SSN data
“666” and “000” added to exception list
84: 84 Privacy Problems with E-mail(wikipedia) Main article: e-mail privacy
E-mail privacy, without some security precautions, can be compromised because:
e-mail messages are generally not encrypted;
e-mail messages have to go through intermediate computers before reaching their destination, meaning it is relatively easy for others to intercept and read messages;
many Internet Service Providers (ISP) store copies of your e-mail messages on their mail servers before they are delivered. The backups of these can remain up to several months on their server, even if you delete them in your mailbox;
the Received: headers and other information in the email can often identify the sender, preventing anonymous communication.
There are cryptography applications that can serve as a remedy to one or more of the above. For example, Virtual Private Networks or the Tor anonymity network can be used to encrypt traffic from the user machine to a safer network while GPG, PGP or S/MIME can be used for end-to-end message encryption, and SMTP STARTTLS or SMTP over Transport Layer Security/Secure Sockets Layer can be used to encrypt communications for a single mail hop between the SMTP client and the SMTP server.
Another risk is that e-mail passwords might be intercepted during sign-in. One may use encrypted authentication schemes such as SASL to help prevent this.
85: 85 Privacy and Legal Issues for Provider to Provider E-mail Communications VHA Handbook 1907.01 Guidance
Medico-legal Issues
Privacy Act Implications
System of Records (SOR) Issues
E-Mail Retention
FOIA
E-discovery
HIPAA Implications I will only be discussing the privacy issues related to provider to provider communications. There are many emails issues regarding IRIS, the Contact the VA link on the VA home page and WebCIMS.I will only be discussing the privacy issues related to provider to provider communications. There are many emails issues regarding IRIS, the Contact the VA link on the VA home page and WebCIMS.
86: 86 VHA Handbook 1907.01 e. Provider to Provider E-mail Communication
(1) Electronic mail and information messaging applications and systems can only be used for authorized government purposes and must contain only non-sensitive information unless the data, and are protected with a VA-approved encryption mechanism.
(2) For Outlook/Exchange mail, the Office of Cyber and Information Security (OCIS) issues Public Key Infrastructure (PKI) certificates to encrypt communications between a sender and receiver. NOTE: Personnel must follow the national PKI policies and procedures issued by 005. Requests for PKI certificates are to be directed to the local ISO, who typically serves as the Local Registration Authority (LRA) for VAPKI deployment.
NOTE: Provider to Patient e-mail communications are not covered in this policy. Mention Provider Patient email communications – Industry practice to use a secure portal for these communications. For VA this will be handled through future iterations of MyHealtheVet.Mention Provider Patient email communications – Industry practice to use a secure portal for these communications. For VA this will be handled through future iterations of MyHealtheVet.
87: 87 Medico-legal Issues Any e-mail documenting care would have to be made part of the official VA medical record through:
Scanning;
Re-entry of the information into a Progress Note; or
Some other mechanism (e.g., paper).
E-mails are not currently part of the “Patient Medical Record-VA” (24VA19) Privacy Act system of records
88: 88 Privacy Act Implications System of Records (SOR) Issues
VistA Mailman messages covered by “VistA” (79VA19) SOR notice
Veterans/Patients have a right to a copy of any e-mail in VistA that is retrievable by their name
Messages must be retained in accordance with SOR notice
MS Outlook e-mails are not covered by a SOR notice (Some e-mails are not even official VA records)
E-mails sent via MS Outlook should NEVER contain the name of the veteran/patient in the subject line even when encrypted. Explain that some emails from IRIS and WebCIMS may have a name in the subject line, which VA will be adressing.Explain that some emails from IRIS and WebCIMS may have a name in the subject line, which VA will be adressing.
89: 89 E-Mail Retention Guidance VA Handbook 6301, Policy and Procedures for Handling Electronic Mail Records
Preserving Electronic Mail Messages Memo dated Dec. 23, 2004
VA Notice 06-1, Final Rule on the Disposal of Transitory Email Records
IL 19-2006-001 dated July 6, 2006 We realize that we need to develop a single source document for guidance that clearly outlines the requirements for retention and provide some examples to assist in knowing which emails must be retained and for how long.We realize that we need to develop a single source document for guidance that clearly outlines the requirements for retention and provide some examples to assist in knowing which emails must be retained and for how long.
90: 90 E-Mail Retention: Federal Records Messages that support official VA business and/or convey valuable information on VA’s mission are considered to be Federal records.
E-mails documenting care or used to coordinate care for a specific patient would be official VA records.
Ref. VA Handbook 6301
91: 91 E-Mail Retention E-mails that are official VA records must be retained either in a recordkeeping system or in the e-mail system for the specified NARA retention period
For example, an e-mail documenting the care teams discharge plans for a patient need to be placed in the medical record and retained for 75 years.
Once the e-mail or information contained in the email has been placed in a recordkeeping system (e.g., CPRS), the e-mail may be deleted.
Ref. NARA, General Records Schedule 20, Item 14 Not all emails that are official records would have to be placed in CPRS or other recordkeeping system.Not all emails that are official records would have to be placed in CPRS or other recordkeeping system.
92: 92 Freedom of Information Act (FOIA) As official VA records, e-mail messages including those without PHI are subject to FOIA and may be disclosed pursuant to a signed, written FOIA request.
93: 93 E-discovery Electronic discovery (also called e-discovery or ediscovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.
E-discovery can be carried out offline on a particular computer or it can be done in a network.
Court-ordered or government sanctioned hacking for the purpose of obtaining critical evidence is also a type of e-discovery.
94: 94 HIPAA Implications Any health information created by VHA health care providers is subject to the HIPAA Privacy Rule, even if not maintained in a Privacy Act SOR.
Any e-mail in MS Outlook containing PHI must be appropriately safeguarded under the HIPAA Privacy and Security Rules until destroyed.
95: 95 Summary Should providers send patient information via
e-mail?
Yes, BUT
Not if CPRS is a better alternative
Only via secure, VA-approved e-mail systems
Only if disclosure is minimum necessary
With understanding of the applicable e-mail retention requirements
With understanding e-mail may be discoverable
With common sense
96: 96
Q&A