Emailing Confidential CDHA Personal Health Information or Business Information: Important Changes and Information you need to know as a CDHA Clinician/Researcher Like any tool you use in medical practice, email has benefits and risks. Educating yourself on how to use email responsibly in your practice is important, as the standards for maintaining the privacy, confidentiality, and security of email in healthcare are higher than those for personal email use. Effective clinical documentation and communication are also considerations when using email. Inappropriate use of email can compromise patient safety and privacy and result in liability. Most importantly: Your cdha.nshealth.ca email account must be used to communicate CDHA confidential personal health information or business information (“CDHA confidential information”). Need help with your cdha email account: Call IT at 473-3399 Dal.ca email accounts are no longer appropriate for sending, receiving or storing CDHA confidential information, as they are switching to Microsoft 365. Communication of CDHA confidential information to a recipient using a nonnshealth.ca email account or gov.ns.ca email account must be properly encrypted using CDHA approved tools Please read the following document in its entirety to get the information you need. This document uses a question and answer format to address a number of important issues involving the emailing of CDHA confidential information securely to avoid privacy breaches and professional liability. 1 Emailing Confidential CDHA Personal Health Information or Business Information: Frequently asked Questions I’ve heard Dalhousie is switching to Microsoft 365 and Dal email is no longer to be used to share personal heath information? Is this true? I use it to email patient information to clinicians and researchers I collaborate with, as well as for teaching. After discussion with Dalhousie University, both institutions agreed that personal health information is not to be emailed using your Dalhousie email account, as it was not intended for this purpose. The legal standard for the transfer and storage of personal health information is higher than for other less sensitive information. You may have already received information from dal about the migration. Can I use gmail or another external account? I’ve never used my cdha.nshealth.ca account and heard that some clinicians don’t like it. No. Email accounts such as gmail, hotmail, yahoo, etc are not secure for transferring personal health information. Web-based email services can lack important security features. CDHA’s policy, Email Acceptable Use CH50-045, in place since November 2011, states: 2.2.5. Do not email any identifiable confidential patient information or confidential, sensitive business information outside the Capital Health/NSHealth network unless appropriately secured with encryption. [NOTE: A discussion of CDHA’s approved encrypted email file transfer service, send.nshealth.ca, follows later in this memo] 2.2.6. Do not automatic forward any confidential patient or business information to an external mail account. Check with IT at 473-3399 before using any unapproved electronic information transfer system to ensure it has proper encryption. I understand personal health information is defined in PHIA. What is considered CDHA confidential sensitive business information? CDHA confidential sensitive business information includes for example, employee financial information, performance reviews and disciplinary actions, and sensitive credentialing committee documentation. For more information, see CDHA’s Email Acceptable Use Policy, which is available on the intranet: http://policy.nshealth.ca/Site_Published/DHA9/document_render.aspx?documentRender.IdType=6&do cumentRender.GenericField=&documentRender.Id=45548 So basically I have to use my CDHA email account to communicate CDHA confidential information…but I’ve heard under Nova Scotia’s new health privacy legislation (PHIA) we can’t email personal health information to clinicians anymore. 2 PHIA requires us to first use de-identified information if it can achieve the purpose; otherwise, only the minimum amount of personal health information to achieve the purpose can be used. Please remove patient identifiers (e.g. patient name, MRN, HCN, etc ) if they are not required to achieve the purpose of the email and only send emails containing patient information to those colleagues who need to know. Think about whether the information is available to the recipient on a clinical information system rather than emailing it. Also we are legally required to ensure emails containing personal health information are secure. At this time, emails sent from a cdha.nshealth.ca email account to another nshealth.ca email account are considered secure as they travel within the internal nshealth.ca firewall. You may also send emails securely from your “cdha.nshealth.ca” account to a recipient with a “gov.ns.ca” email account. What do I do to transfer personal heath information to clinicians or researchers in Nova Scotia without an nshealth.ca/gov.ns.ca account, Canada or elsewhere? Healthcare is crossing boundaries. Use send.nshealth.ca: https://send.nshealth.ca/courier/1000@/mail_user_login.html? You can invite individuals from the outside to use this service and download files securely. However, the subject line and the body of the SEND message are not secure and should never contain personal health information (i.e. health card number or patient name). See the “Getting Started” instructions on the login page for details. HITS-NS also has FAQs on their intranet site: http://hitszone.nshealth.ca/Site_Published/extranet/ecourierFAQ.aspx So what are the risks emailing confidential patient information inappropriately? What are the consequences? Risks include: Unsecure email is more likely to be intercepted or hacked and information used for identity theft. Email can be forwarded to 3rd parties, circulated, stored and even changed without your knowledge or permission. It is easier to falsify an email than a handwritten or signed hard copy. It is impossible to verify the sender’s true identity and whether an email account was created to impersonate a clinician or patient or is a result of a phishing scam. Healthcare does get targeted. Recently, CDHA procurement card holders were sent emails from individuals pretending to be the BMO, which asked users to update personal/ credit card information online to get a security update. Email senders can easily misaddress an email to the wrong individual or distribution list, often due to the email system automatically filling in a contact based on the first letters you type. Attaching the wrong electronic file to an email has also resulted in large privacy breaches involving hundreds of patients’ personal health information in the US recently. 3 While email is often felt to be timelier, clinical information that needs to be communicated urgently if emailed may not be checked right away by the user, either because they are unavailable, technical delays occur in delivering the message, or they no longer use the account, resulting in compromised patient care. Clinically important email communications may not be documented in the patient’s health record and are unavailable to colleagues who need to know this information. Possible Consequences include: In the case of a privacy breach or unsafe information practices, patients can make a complaint to the Privacy Officer, the Provincial Review Officer, or your professional college, which can result in suspension or fines. They may also choose to start a lawsuit. For example, a health region in Ontario is being sued by patients after a staff member lost an unencrypted USB stick. If patient care is compromised due to a lack of email documentation on the patient’s legal health record or ineffective email communication, professional liability may result. The CMPA has also released guidance for physicians regarding the legal risks of email use for communicating patient information: http://www.cmpaacpm.ca/cmpapd04/docs/resource_files/infosheets/2005/com_is0586-e.cfm I’ve also heard that our cdha email account can’t handle large files. Cdha.nshealth.ca email accounts, like all corporate email systems, have limits on what can be stored and transferred via email. If you try to send an attachment via email that is too large, you will receive an undeliverable message in your cdha email inbox. For larger files, use the send.nshealth.ca service at: https://send.nshealth.ca/courier/1000@/mail_user_login.html? It is encrypted and can handle files up to 2 GB in size. It is used by healthcare institutions, such as Harvard Medical School and Beth Israel Deaconess Medical Center, and other organizations (e.g. NASA). If you are repeatedly sending large files that cannot be sent via regular cdha email, contact IT at 4733399 to discuss possible alternate solutions. If an individual is trying to send you a large file and is encountering difficulties, it may be because your cdha.nshealth.ca email account is full. Your cdha email account can store up to 2MB. It is important that you save large attachments securely on your cdha personal or shared drives as appropriate after receiving them, and then delete them from your email account to save space. You should also save or delete old emails to maintain space on your email account. An outside email message may also be undelieverable to you because of the sender organization’s email set up or the nshealth.ca network firewall rules. Please contact IT at 473-3399 if the sender believes the problem is related to our firewall. Colleagues have also told me that their cdha email account gets a lot of announcements/spam. 4 If you are concerned about getting unwanted emails/notifications, Outlook has some filtering capabilities. Accompanying this document is a step by step guide, including screen shots, developed by CDHA IT to explain how to route unwanted mail into separate folders instead of your main email inbox. However, be careful about what you filter as both the organization and your departments use CDHA email to communicate significant events that may affect you and your patients, such as the recent mock power outage or the gas leakage in South End Halifax. For example, emails sent from CDHA with the title LIFELINES are designed to communicate urgent time-sensitive information. I need to be able to access my email on my mobile devices. Is my cdha.nshealth.ca email account available on apple or android devices, as well as Blackberry devices? Your cdha.nshealth.ca email is currently available for use on blackberry and apple devices. CDHA IT Services is working on enabling cdha.nshealth.ca email accounts securely on android devices and anticipate availability of this service in the next two months. Contact IT for more information. What if I want to work from home? I often email research and clinical documents to my home email address rather than use a USB stick or print paper I might lose. Request a remote access account if you need to access files or clinical information systems on the nshealth.ca network outside of office hours. See CDHA’s Remote Access Policy (CH50-070) for details. What about emailing personal health information to patients? I get a lot of requests. Capital Health is working on a policy and consent form regarding email communications with patients. We have a legal duty to explain the risks of emailing personal health information to patients and many patients and providers do not understand these risks fully. In the interim, Legal Counsel and Privacy have developed guidelines that restrict emailing personal health information to patients to the most exceptional of circumstances. For more information, contact the Privacy Office. How do I document clinically relevant information contained in emails? Any email communications should be treated in the same manner as progress notes or other clinical documentation, and should be placed on patient's health record where related to care and not otherwise documented in the chart. Email communications should not, however, replace other documentation required in keeping with professional practice standards. What about the privacy of my emails sent using my cdha.nshealth.ca email account? Who can view them and in what circumstances? CDHA’s Email Acceptable Use Policy, CH50-045, outlines the process by which a user’s emails may be accessed as part of an investigative process. The policy is in line with other similar institutions, such as Dalhousie University. 5