Please note that University Physicians, Inc. is now doing business as University of Colorado Medicine (or "CU Medicine").
HomeDepartmentsAdministration
Also in this Section
 

Organizational Compliance FAQs

Created: 09/21/2012 | Updated:  
1. What is University of Colorado’s policy on limiting conflicts of interest?
Answer
2. What is Protected Health Information (PHI)?
Answer
3. What is the affiliate-protected email network?
Answer
4. Why have we adopted email encryption practices?
Answer
5. My patient is not technically savvy and may experience difficulty handling encrypted messages. Do I still need to encrypt?
Answer
6. My patient expresses no interest in secure email usage and they send unencrypted emails containing PHI to me all of the time. Why should I be concerned?
Answer
7. I received an unencrypted email containing PHI from a referring physician outside of the affiliate-protected network. How should I respond?
Answer


1. What is University of Colorado’s policy on limiting conflicts of interest?
See their brochure which outlines the Policy to Limit Conflicts of Interest Between Health Care Professionals and Industry Representatives (PDF)

2. What is Protected Health Information (PHI)?
PHI includes “individually identifiable” health information. Information is considered individually identifiable if (1) it identifies the individual or (2) there is a reasonable basis to believe that the information can be used to identify the individual. PHI can be more than just medical records and charts. PHI includes information relating to treatment, health condition, payment, MRNs, SSNs, and even simple demographic information, such as name, address and age.

3. What is the affiliate-protected email network?
The affiliate-protected email network includes UCD, UCH, UPI, TCH, BDC, DH&H and NJH. Security measures are already embedded within this network to ensure safe delivery of all email containing PHI. When sending email containing PHI outside of this protected network, you are required to utilize encryption software. The affiliate-protected network does not include emails originating from the Veterans Administration Hospital, patient/personal email accounts (ex. Hot-mail or G-mail), or private practice physician addresses outside of the affiliate network.

4. Why have we adopted email encryption practices?
Emerging HIPAA data security laws, coupled with growing privacy concerns and heightened liability, have necessitated the requirement that all communications containing PHI be secured. Encryption is a reasonable approach to securing confidential transmittal of PHI via email.

5. My patient is not technically savvy and may experience difficulty handling encrypted messages. Do I still need to encrypt?
YES. The encryption software utilized is not overly complex. Recipients will go through a few steps to access messages and will be able to respond securely as well.

6. My patient expresses no interest in secure email usage and they send unencrypted emails containing PHI to me all of the time. Why should I be concerned?
Implied consent cannot be assumed. When a patient sends an unencrypted email, it does not necessarily mean they are not concerned with secure information sharing. Many patients may not have the necessary tools to communicate securely via email. You can assist your patients by routing them through the encryption software. Additionally, you are required to send email securely even if the patient requests to opt-out from this practice.

7. I received an unencrypted email containing PHI from a referring physician outside of the affiliate-protected network. How should I respond?
Not all clinicians are aware of their responsibilities under the HIPAA data security and privacy laws. As a courtesy, you should remind the referring clinician they are placing their patient’s sensitive and personal information at risk for unauthorized access, modification, and disclosure. You should also encrypt this reply because PHI present in the original message is now part of the email thread.