The Quality-Cost Connection: Address e-mail security in the quality department
The Quality-Cost Connection
Address e-mail security in the quality department
By Patrice Spath, RHIT
Brown-Spath Associates
Forest Grove, OR
Computer-based electronic mail is changing the way quality managers do business. E-mail provides a means to create, transmit, and respond to messages electronically. An increasing number of quality departments use e-mail systems to distribute memos, circulate drafts of committee minutes, disseminate quality directives, send external correspondence, and support various aspects of their operations. A well-designed and properly managed e-mail system can speed up communications and eliminate paperwork.
But the opportunities for increased efficiency are lost if your e-mail system and the electronic documents it handles are not managed effectively. The same e-mail system that delivers information instantaneously and reliably also can create chaos for quality managers. Potential loss of control over sensitive quality records and important documents and concerns about privacy, security, and public access are just a few of the issues that quality managers must address.
E-mail is just like any other official record created within the quality department. The courts have confirmed that information stored in a computer is as much a business record as a written page in a procedure book or a paper report stored in a filing cabinet. Therefore, e-mail must be subject to the same controls and security as paper documents. Accessibility and retention policies and procedures should apply equally to e-mail and other forms of communication that are created or received by the quality department.
Existing organizational policies for telephone, fax, or written communications may not address all issues raised by e-mail, because e-mail combines some characteristics of electronic communications with elements of written documents. Therefore, your facility should have a specific policy on the use of e-mail, access and privacy protection of e-mail messages, and on retention of e-mail. The policies governing e-mail use by the quality department may need even further clarification. Information created or stored in e-mail systems is considered an official record and therefore subject to discovery proceedings in legal actions. For this reason, the e-mail policies of the quality department should comply with the intent of the state laws governing protection of peer review and/or risk management documents. While responsibility for functions such as security and disaster recovery usually is assigned to a network administrator in the information services department, the quality manager should have input into e-mail practices related to sensitive and confidential information.
The traditional roles and responsibilities of people in the quality department may change as new technologies such as e-mail are introduced into the workplace. All e-mail users in the quality department should be informed of their responsibilities for proper use of e-mail and records in the e-mail system. These responsibilities may include:
- Limiting use of the e-mail system to official business.
- Responding promptly to messages.
- Protecting e-mail messages and attached files or records from unauthorized release.
- Removing personal and transitory messages from personal in-boxes on a regular basis.
- Protecting e-mail messages from inadvertent loss or destruction by complying with backup requirements and procedures.
To prevent conflicting directives and confusion about responsibilities, written policies should identify the individuals in the quality department who are responsible for each element of the departmental e-mail policies and services. New employees in the quality department should receive an orientation to e-mail policies and user responsibilities.
Enforce e-mail security
To ensure the security and authenticity of records communicated through e-mail systems, the quality department may wish to restrict who can read, write, change, and delete files. Password protections can be used to restrict access to authorized users. The quality department may wish to have an e-mail system that has message protection and authentication controls to prevent users from changing an e-mail message once it has been received by at least one recipient. When transmitting protected documents such as performance reports or committee minutes, security labels, such as "urgent," confidential," or "acknowledgement requested," should be attached to the e-mail message by the sender to alert recipients of special privacy and handling requirements. Other security measures such as encryption, virus protection, and backup procedures provide additional protection against unauthorized access, alteration, or loss of vital information.
Staff in the quality department should make every effort to ensure that the confidentiality of electronic mail is appropriately maintained. It is important to remember that security cannot be assured when messages are sent over outside networks such as the Internet. Because of the insecure nature of the Internet and the number of people to whom the messages can be freely circulated without the knowledge of the quality department, you may wish to limit transmission of highly sensitive reports.
Some of these concerns may be avoided with the use of encryption techniques. Encryption is like an electronic combination lock: The sender encodes the text of a message, causing it to appear as a series of seemingly random characters and symbols. Whether or not the quality department wishes to use encryption with a particular transmission is a question that depends on the sensitivity of the information being conveyed. As with any communication, there is a risk of interception. If an unintended interception of the information would cause harm to the hospital, a member of the medical staff, or to a patient, extra precautions must be taken to preserve the integrity of the correspondence.
A greater security risk to quality departments communicating via the Internet may well be simple human error. Improperly addressed Internet e-mail is just as likely not to reach its intended recipient as improperly addressed postal mail. A computer does not know, for example, that mail addressed to [email protected] is really intended for [email protected]. A simple typographical error in addressing easily can result in a confidential message or report being sent to an unintended recipient.
It should be pointed out that the confidentiality risks in using e-mail are perhaps no greater than in other commonly used forms of communication. Cellular phone conversations can be monitored with readily available scanner technology. Fax transmissions pass through many hands on their way to the ultimate recipient and are commonly in public view in the "fax room" until delivered. Postal mail can be misaddressed. While quality departments should not be dissuaded from using e-mail, it is important to adequately address the security concerns.
E-mail often is treated as an informal or private method of communication, and this could cause problems for the quality department. Staff should be made aware of the rules and conventions surrounding the use of e-mail.
The organizationwide information plan that describes policies and guidelines on managing and maintaining e-mail records may not adequately address the issues of concern for the quality department.
As a general rule of thumb, don’t commit anything to e-mail that you wouldn’t want to become public knowledge. There is always the chance that a message could end up in someone else’s hands. Assume that your message, and any attached files, could be around for a long time. It is easy to copy, store (electronically or in hard copy), resurrect, and forward anything you write in e-mail. And remember, e-mail messages often are retained on system backup tapes and disks in central computing facilities long after they are deleted from the mail system.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.