Sharing educational documents with multiple patients
RECENT MICHIGAN MEDICINE HIPAA BREACH: A HIPAA breach recently occurred that exposed multiple patients’ email addresses to other patients while sharing educational documents. Protecting patient privacy is crucial and failing to take the proper precautions can expose patients’ protected health information (PHI), resulting in potential fines and mistrust of our patients.
Below are important requirements when sharing educational materials with patients.
Providing patient education using MiChart:
- The Patient Instructions activity in MiChart provides a HIPAA-compliant way for providers to share educational materials with patients.
- Patient Instructions topics can be sent to patients via a portal message or a letter.
- They can also be sent to print with the After-Visit-Summary.
- If the material is not available in MiChart Patient Instructions, it can be submitted to the Patient Education Clearinghouse and MiChart will create a Patient Instructions document with a link to direct patients to access the resource on the Clearinghouse.
- To learn more, visit the Patient Education and Health Literacy Program (PEHL) website.
- Click here for a MiChart Tip Sheet and a video with step-by-step instructions on using Patient Instructions.
Sharing education documents via email with one or more patients:
- Patient names and email addresses are PHI. Exposing patient names and email addresses to other recipients is a HIPAA violation.
- To email educational information to a group of patients, always use the BCC field for all recipient email addresses. Otherwise, email addresses in the To and CC fields are viewable to all the recipients.
- Only use Outlook email (@med.umich.edu)
- Send your email securely by typing SECURE in brackets, “[SECURE],” anywhere in the Subject line to encrypt the email.
- Never put PHI in the subject line of an email.
Using cloud-based collaboration services:
- Only use approved cloud-based collaboration services such as Dropbox at U-M or Box at U-M.
- Ask for help. When using these services, it is your responsibility to ensure that settings are configured to hide all recipient names and email addresses. If you are unsure how to do this or need other assistance, contact the HITS Service Desk for help.
- No PHI pertaining to one or more individuals can be included in an educational document shared with multiple patients. Educational documents must be generic in nature and not specific to a particular patient(s).
- If you have any questions about Patient Portal use, contact Health Information Management (HIM-PatientPortal@med.umich.edu or at 734-615-0872).
- Corporate Compliance Webpage on Communicating PHI.
- Michigan Medicine Confidentiality of Patient Information Policy.
- Patient Education and Health Literacy Program (PEHL) website.