March 18, 2020
In light of recent challenges, the need to communicate with colleagues and patients online has become critical. While societal circumstances have changed drastically, the online risks and challenges remain. The following information will provide guidance for securely conducting business requiring the transmission of Protected Health Information (PHI) while reducing regulatory risks.
- Personal email containing PHI is not permitted.
- Office 365 email from Arizona.edu is permitted as long as the email is encrypted.
- Encrypt an email by typing [encrypt] or [secure] in brackets anywhere in the subject line of the email. These commands are case sensitive. For more information, go to https://it.arizona.edu/documentation/uaconnect365-email-encryption
Voice
- Phone conversations are permitted as normal.
Instant Messaging (IM)
- Cellphone texting of PHI is not permitted.
- Slack is not approved for the transmission of PHI.
- Currently, there is no HIPAA Privacy-approved IM tool at UA. Use Zoom for Health (below) and Email whenever possible.
- HIPAA Privacy is working to vet IM tools for use and will be publishing additional guidance soon.
- Banner has approved the use of Banner’s Microsoft Teams for instant messaging involving Banner PHI. It is necessary to login to teams with a Banner email address and credentials (xxxxxxx@bannerhealth.com).
- University individuals can be invited to Banner Microsoft Teams chat sessions as “guest users” when invited in by a the Banner employee using a University email address (xxxxxxx@email.arizona.edu).
- There will be additional instruction and guidance issued by Banner regarding Microsoft Teams soon.
Online Meetings / Video Collaboration
- Use Zoom for Health to collaborate and discuss /display PHI.
- Zoom for Health will work on mobile devices as long as the meeting was created with the Zoom for Health web portal.
- Meeting participants do not need to be trained or even UA employees – a shareable URL will get meeting participants into the meeting.
- Meeting organizers need to complete the Zoom for Health training prior to use. See hipaa-privacy-program/zoom-health For details.
- To setup a meeting, go to https://hipaa-zoom.arizona.edu/
Finally, Health and Human Services Office of Civil Rights (OCR) has loosened the restrictions on collaboration technologies for the duration of the COVID-19 crisis. While OCR’s notification allows providers a wider choice of communications tools, it does not reduce the risk from hackers. As we have seen for the last few weeks, malicious actors have no qualms about exploiting the crisis for their own gain. The University Privacy Office will continue to require use of approved tools for communicating PHI online. If you have a business case which prevents usage of these tools, please contact the HIPAA Privacy Program to discuss possible solutions: privacyoffice@arizona.edu
Thank you.
Respectfully,
The HIPAA Privacy Office
Office for the Responsible Conduct of Research
The University of Arizona