jimmie,
I just looked up so many sites on HIPAA and email, I decided not to list them. Remember, HIPAA doesn't always make specific recommendations as to protection of PHI. It mainly wants you to do everything possible to protect PHI and have policies to such.
HIPAA actually considers email safer as there are more ways to secure it via encryption. On the other and, when I used Certified Mail, which was simple and cost-efficient, I couldn't get doctors to figure it out, when all they had to do was receive an email which already had their email address in the username field and they had to add a password (not even a difficult one). Over 60% of them were scared to death of it.
HIPAA also states that since you can talk over an unsecure line, then you can fax over one. Using precautions such as a cover page is all they want. I think it is much easier to email the wrong place than it is to email the wrong place. HIPAA states that with any new fax number, you should verify it first, then put it in the address book.
I kind of laugh at all these emails with the disclaimer at the bottom as if they mean anything. As if emailing it back and then "deleting" the email will make a difference.
Certainly, a portal makes a huge difference when the data resides on the portal's server and never leaves it. You could have a form that allows people to opt out of using the portal but letting them know that this will delay their results and further access significantly. I think using the email they receive to access the data on the portal and finding it the wrong patient is more likely to end up with that patient not reading it and replying back to you.
Your nurse sending Jones to Smith is an error. It is simply going to happen. Mistakes will happen. You can try to come up with double checks as the hospitals do with chemo. We always have one other staff member check a lab req and label to see they are on the correct person. Not sure how easy that would be with this.
I try to keep all my information secure on my server and network. But, again, there is only so much I can do. I can't set up Department of Defense techniques with everything, although I can use DBAN to clean hard drives.
