Communicating Health Information Online

March 18, 2020

In light of recent challenges, the need to communicate with colleagues and patients online has become critical.  While societal circumstances have changed drastically, the online risks and challenges remain.  The following information will provide guidance for securely conducting business requiring the transmission of Protected Health Information (PHI) while reducing regulatory risks.

Email

  • Personal email containing PHI is not permitted.
  • Office 365 email from Arizona.edu is permitted as long as the email is encrypted. 

Voice

  • Phone conversations are permitted as normal.

Instant Messaging (IM)

  • Cellphone texting of PHI is not permitted.
  • Slack is not approved for the transmission of PHI.
  • Currently, there is no HIPAA Privacy-approved IM tool at UA.  Use Zoom for Health (below) and Email whenever possible.
    • HIPAA Privacy is working to vet IM tools for use and will be publishing additional guidance soon.
  • Banner has approved the use of Banner’s Microsoft Teams for instant messaging involving Banner PHI. It is necessary to login to teams with a Banner email address and credentials (xxxxxxx@bannerhealth.com).
    • University individuals can be invited to Banner Microsoft Teams chat sessions as “guest users” when invited in by a the Banner employee using a University email address (xxxxxxx@email.arizona.edu).
    • There will be additional instruction and guidance issued by Banner regarding Microsoft Teams soon.

Online Meetings / Video Collaboration

  • Use Zoom for Health to collaborate and discuss /display PHI.

Finally, Health and Human Services Office of Civil Rights (OCR) has loosened the restrictions on collaboration technologies for the duration of the COVID-19 crisis.  While OCR’s notification allows providers a wider choice of communications tools, it does not reduce the risk from hackers.  As we have seen for the last few weeks, malicious actors have no qualms about exploiting the crisis for their own gain.  The University Privacy Office will continue to require use of approved tools for communicating PHI online.  If you have a business case which prevents usage of these tools, please contact the HIPAA Privacy Program  to discuss possible solutions: privacyoffice@arizona.edu

Thank you.

Respectfully,

The HIPAA Privacy Office

Office for the Responsible Conduct of Research

The University of Arizona

privacyoffice@email.arizona.edu

https://rgw.arizona.edu/compliance/hipaa-privacy-program