VHA Privacy Office
Privacy Fact Sheet
July 2010 Volume 10, No. 5
Use of Individually Identifiable Information in Microsoft Office Applications and Vista
This fact sheet provides guidance to the field on when it is appropriate to include individually identifiable information (III) and/or protected health information (PHI) when using Microsoft Office Outlook Calendar, Microsoft Outlook E-mail, and Vista E-Mail. Electronic mail (e-mail) and information messaging applications and systems are used as outlined in VA policy (VA Directive 6301, VA Directive 6500, and VA Handbook 6500). These types of messages never should contain Individually Identifiable Information (III), unless the authentication mechanisms have been secured appropriately. Authenticated mechanisms approved for use in VA is Public Key Infrastructure (PKI) and Rights Management Service (RMS).
Are there identifiers that are acceptable to be sent via outlook email without encryption?
OGC indicated that last four of SSN and first initial of the last name is not identifiable by itself. However, when you add any other individually identifiable information or health information that has not been de-identified in accordance with VHA Handbook 1605.1 you may no longer send this alphanumeric code via Outlook without encryption.
For example you can send the following messages in Outlook without encryption:
"Please look at the co-payment bill for A#### as I think there is a mistake on the bill."
“The list of employees that will be involved in the Environmental Rounds from my Service are as follows:
Mary Smith, John Jones, Sue Brown”
However, you cannot send the following message in Outlook without encryption:
" On January 1, 2007 A#### had an appointment in the Cardiology Clinic. The visit for that appointment was coded wrong. The diagnoses should be CHF not cardiovascular disease."
What is considered individually identifiable or personally identifiable and should not be sent in outlook email unless encrypted?
Sensitive information per VA definition
* Name (employee name alone in an email message is OK)
* Social Security Number
* Names of Relatives
* Other information regarding relatives
* Telephone/Fax/Other Numbers
* Photographs or Physical Presence; or
* Geographic Destination Smaller than a State.
NOTE: See VHA Handbook 1605.1, Appendix B for additional information on HIPAA de-identification of data.
What is acceptable to place in the subject line of an outlook email message? The first initial of the last name and last four of the social security number by itself is not considered individually identifiable and therefore can be included in the subject line. Any non identifiable information can be placed in the subject line.
NOTE: Subject lines are not able to be encrypted.
Is patient-provider communication acceptable over email?
No The VA has not given permission to communicate with patient/veterans from or to private electronic mail accounts such as AOL.com, Verizon.com, Yahoo.com, or any .com address: Even if the patient/veteran initiates the electronic communication. Secure Messaging (SM) is currently being tested as part of My HealtheVet. Secure Messaging will eventually allow for electronic patient-provider communication in a secure environment.
NOTE: Secure Messaging within My HealtheVet is not considered email, rather it iis a secure communication between My HealtheVet users and their providers.
Can a provider get an authorization from a Veteran to allow VA to send III and PHI through email or text message?
No. Unfortunately, an authorization would not solve the problem as a Veteran cannot give permission for VA to ignore a security policy or requirement. Security policy states that VA sensitive personal information cannot be sent via email unless secured (e.g. encryption).
NOTE: Text messaging is not a secure form of communication.
Is there a difference in the security of messages on outlook when sending intra-agency vs. inter-agency?
No. There is no difference in the security of sending messages on outlook within your facility or outside your facility to another VA. Encryption requirements equally apply
Is it acceptable to include PHI in the Outlook Calendar?
No. Calendar controls were not designed to secure Personally Identifiable information or Protected Health Information. The security controls provided with Outlook calendars only allows for items that you do not wish to be displayed to other users through shared Outlook calender being marked as “Private” (using Microsoft Outlook “options” functionality setting). However, you can not rely on the Private feature to prevent others from accessing the details of the calendar items.
Can employee information be sent using Outlook email?
Yes. If it’s the employee name only then this is acceptable. If other information is included that would be considered individually identifiable, it must be encrypted.
Is it acceptable to use the auto-forwarding option in VistA Mailman to forward emails to Outlook if there is PHI or PII in them?
No. You cannot use the auto-forwarding option in VistA to forward emails that contain III or PHI as they are not encrypted.
Can VistA Mailman messages be autoforwarded to home email accounts?
No. VA Handbook 6500 prohibits auto-forwarding information from VistA that may contain III/PHI to any outside email address as there is currently no capability for encrypting the information.
Can we share PHI in Microsoft Office Communicator (Instant Messaging)?
No. There is not an encryption mechanism available in Microsoft Office Communicator.
Is it acceptable to send individually identifiable information in the body of a Vista email?
Yes. Full name and full SSN can be used in the body of a VistA Mailman message when needed for unique identification of a patient for purposes of providing treatment or for patient safety issues including notification of erroneous notes. Treatment purposes include the coordination of care between providers or within the multidisciplinary team, consultations, patient alerts, discharge planning, transferring the patient to another care team, etc. The last name, last four numbers of the SSN, date of birth, other account numbers (e.g., bill number), and/or other identifying information may be used in the body of a VistA Mailman message for unique identification of a patient for payment and health care operation purposes.
What is acceptable to place in the subject line of a Vista email message? First initial of last name and the last four numbers of the SSN may be used in the Subject Line of a VistA Mailman message to identify the patient and track the message.
If you put a hyperlink in an email message and the hyperlink leads you to a site that has sensitive information are you required to encrypt the message? No. The message does not need encrypted if the link contains no III/PHI. If the link is accessed, there should be appropriate safeguards to stop unauthorized people from gaining access to the information.
Privacy Office at a glance…
VHA personnel should contact the VHA Privacy Office via email through the VHA 19 Privacy Issuesmail group.