Your secret patient protection agency
By Laura Greene-Orndorff, BS, RT(R), DC
Did you know you may be inadvertently releasing confidential patient information in e-mail and PowerPoint presentations?
If you send patient images via e-mail for second opinions or include them in PowerPoint presentations, you may be placing your patient’s information in jeopardy. One way to protect them and you is to be sure you remove any patient identification from the image(s) by using the anonymizing function on a Digital Imaging and Communications in Medicine (DICOM) viewer.
A DICOM anonymizer is computer software that removes all identifying data from a DICOM file. If this function is not available, screen capturing software, such as Screen Hunter and !Quick Screen Capture, can be used to take a screenshot of the image and assist in removing patient identifiers.
PHI and HIPAA
An implication of the Health Insurance Portability and Accountability Act (HIPAA) prohibits the unauthorized release of patients’ protected health information (PHI).
PHI, according to HIPAA, includes any individually identifiable health information (United States Department of Health and Human Services). Identifiable refers not only to data that is explicitly linked to a particular individual (that’s identified information) but includes health information with data items that reasonably could be expected to allow individual identification such as name, date of birth, social security number, and study identification number.
The Privacy Rule protects all “individually identifiable health information” (known as PHI) that is held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Individually identifiable health
•The individual’s past, present, or future physical or mental health or condition;
•The provision of healthcare to the individual; or
•The past, present, or future payment for the provision of healthcare to the individual and that identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual.
As mentioned earlier, individually identifiable health information also includes many common identifiers, such as name, address, birth date, social security number.
Remember, quirks of Microsoft’s PowerPoint software or your own inexperience in using computer programs may result in unintended release of PHI. Make it a practice to convert files into other forms such as PDF prior to using them in a PowerPoint presentation. This way, when a file is available for download or transfer, the information is protected.
Don’t be fooled: Images used in PowerPoint presentations that contain PHI are often cropped. The creator may not realize that cropped areas are not deleted; they are simply hidden. The images can later be reverted to the original size, revealing previously hidden PHI. Cropping alone doesn’t keep you from unintentionally releasing PHI.
The Internet and e-mail have made public release of PowerPoint presentations and images nearly effortless. Follow these simple points of PowerPoint etiquette that will help you to avoid the inadvertent release of PHI:
• Do not use PHI in a note field
• Do not try to hide PHI on a slide
• Do not include PHI in image file names
• Be sure that cropped areas that may have had PHI have been deleted
• Select the option in PowerPoint to save files as “read only” so that others cannot manipulate text and images.
If you haven’t already, develop a clear policy for your office and your staff on the placement of PowerPoint files and sending images via the internet. E-mail and electronic sharing of information are no more private than a postcard.
The simple steps outlined above will help protect you, your practice, and your patients.
Laura Greene-Orndorff, BS, RT(R), DC, is the radiology department chair and a professor of clinical sciences at Sherman College of Chiropractic. Greene-Orndorff is also the founder and developer of Carolina Health Imaging, a freestanding multimodality imaging center in Duncan, S.C. She can be reached at firstname.lastname@example.org.