Corporate compliance corner

By Corporate Compliance Officer Ed August

As part of our company's ongoing efforts to educate employees about the importance of safeguarding Protected Health Information (PHI), this edition of the Corporate Compliance Corner defines PHI, shares some common examples of PHI, and provides some vital practices you must use when sending PHI via email, phone, or fax.

What is PHI?
PHI is any information that can be linked to a person (such as a patient or resident at a client community) and is about a health condition, the provision of healthcare services, or the payment for healthcare services that is created or collected by our company or a client community. The following are common examples of PHI:

  • Names
  • Addresses
  • Dates related to individuals
  • Telephone numbers 
  • Fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • License plate numbers
  • Device identifiers and serial numbers
  • Website URLs
  • Internet protocol (IP) address numbers
  • Biometric identifiers including finger/voice prints
  • Full face photographic images
  • Any unique identifying number, characteristic, or code

In addition to PHI, you need to be aware of "sensitive information" that could lead to the identification of a person. For example, information derived from PHI – such as using a person's initials instead of his or her name – must be treated the same as PHI. Describing a medical condition is also considered sensitive information because it may allow some people to identify the patient or resident.

Safeguards when using email
When sending PHI to a non-Symbria email address, be sure to:

  1. Use your Symbria email account. Do not use a personal email account, such as Gmail, Yahoo, Comcast, Hotmail, or AOL to send emails containing PHI or sensitive information.

  2. Confirm that the recipient is authorized to receive PHI.

  3. Verify that the email address belongs to the intended recipient.

  4. Check any attachments to ensure they include the intended information.

  5. Limit PHI to the minimum amount of information necessary.

  6. Encrypt the email. Never send an email containing PHI or sensitive information without encrypting! To encrypt a company email, simply type #safe anywhere in the email, including the subject line, the body of the email, or your signature. Corporate and pharmacy employees who have an "Encrypt Message" button at the top of their Outlook email screen can also click this button to encrypt the email, then click the "Send" button.

Alternatives to emailing PHI
The telephone remains a viable option for communicating PHI; however, be aware of your surroundings for confidentiality purposes. You can also send PHI via fax if you observe the following safeguards:

  • Use a Symbria/Alliance Rehab/Symbria Rx Services cover sheet.

  • Verify the fax number of the recipient.

  • Notify the recipient you are sending the fax.

  • Request that the recipient provide confirmation when he or she receives the fax.

Other precautions you should use take when faxing PHI include: Keeping the fax machine in a secure place; checking the machine regularly when you are expecting a fax; storing faxes you receive in a secure location; notifying the sender if you receive a fax meant for someone else; and locating any misdirected faxes.

Additional information
Communicating PHI and sensitive information in a secure manner is an important responsibility; however, all employees must also keep in mind the safety of our company because there are significant fines for violations of PHI. If you have any questions about emailing PHI, please ask your supervisor or contact me at 630-413-5840 or This email address is being protected from spambots. You need JavaScript enabled to view it..

Print