This serves as a reminder that patient information should not be stored in calendars in neither Teams nor Outlook.
If you are required to store patient information that contains any of these 18 patient identifiers, you must save this information in a location secured to the appropriate individuals. The 18 patient identifiers include the following:
- Patient names
- Geographical elements (such as a street address, city, county, or zip code)
- Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device attributes or serial numbers
- Digital identifiers, such as website URLs
- IP addresses
- Biometric elements, including finger, retinal, and voiceprints
- Full face photographic images
- Other identifying numbers or codes
Q. What patient-related information can be stored in Teams?
A. You can store patient information in Teams if it has been de-identified, or if the Teams location has been secured to allow only the persons required to know to have access to the information. This can include reports containing metrics without patient identifiers. We want to avoid any inadvertent disclosure of patient information resulting in a HIPAA violation.
Q. We are trying to track patient visits and information related to vaccines and testing. Where should this be stored?
A. The appropriate place to store this type of information is in EPIC.
Q. Is Teams Chat appropriate to send patient information?
A. Yes, you can send patient information through Teams Chat; however, make sure that the audience is restricted to appropriate individuals and team channels. This information should not be shared in large Teams groups.
Q. Can we email patient information using Outlook or Office 365?
A. Yes, you can use Kettering Health’s approved solutions for email to transmit patient information containing PHI. Internal communications are secure; however, if any information is sent outside of the network, you must encrypt the message. This is done using the [encrypt] tag in the subject line. Note: It is never allowed to send PHI through non-KH mail, including personal webmail.
If there are any questions not addressed above, please call iSupport or reach out to a member of the Information Security Team to discuss.