Confidentiality, Privacy and Security

Identifying patients through email

  • 1.  Identifying patients through email

    Posted 05-29-2019 14:59
    We have a concern where a nurse from a Covered entity enters a trouble ticket in our system (the Business Associate) because they have an issue with a particular patient in our system. We need to be able to positively identify the patient in question but don't want to include PHI in the email system.

    What do others use for acceptable identifiers through email. At first blush I would thing something like
    1) patient initials, Address and Zip code
    2) DOB, patient initials
    3) Date of Service, DOB, patient initials

    but am curious what others use or consider as acceptable ways to identify a patient without passing PHI back and forth.

    Thanks in advance

    Kris Lundell
    Privacy Officer

  • 2.  RE: Identifying patients through email

    Posted 05-30-2019 09:37

    I would only send the information by encrypted email – even the information you listed, such as patient address, could be considered PHI.......


    Wendy Mangin, MS, RHIA

    Executive Project Director – Regulatory Compliance/Privacy Officer


    Good Samaritan 

    520 S. Seventh St. | Vincennes, Indiana | 47591

    Hospital: 812.882.5220 | Direct: 812.885.3487 

    Fax: 812.885.3912 | 

    b326b5f8d23cd1e0f18df4c9265416f7  images   Website | Videos | News | Events


  • 3.  RE: Identifying patients through email

    Posted 05-30-2019 11:23
    Kris, if you look at the de-identification section in HIPAA, all those data elements (excluding date of service) are considered PHI.  If initials are incorporated with an address or DOB, that becomes PHI s the patient could be identified.  We have a BAA in place with our customer service Bus. Associate and therefore minimum necessary is needed to perform their task for us.

    Barb Beckett, RHIT, CHPS
    System Privacy Officer
    Saint Luke's Health System

  • 4.  RE: Identifying patients through email

    Posted 05-30-2019 11:25
    Agree with Wendy and at the very least this is PII, so encryption if email is required

    [Susan Lucci, RHIA,CHPS, CHDS, AHDI-F]
    [Senior Privacy / Security Consultant]

  • 5.  RE: Identifying patients through email

    Posted 05-31-2019 13:42
    We don't send any PHI unless it's encrypted. 

  • 6.  RE: Identifying patients through email

    Posted 07-05-2019 10:56
    ​We would encrypt the data or possibly use client ID/medical record #.  Encryption is our standard.​

    Kathryn Boyes
    Director, HIM

  • 7.  RE: Identifying patients through email

    Posted 07-28-2019 20:25
    Even the medical record number is on the list and considered PHI though, so secure/encrypted email is the only way to ensure that you are compliant.

    Korianne Kaleikini
    Hims Manager
    Lawrence Memorial Hospital