Part one of a two-part series on HIPAA and email. Show
Email has been widely used by both businesses and the general public for much of the last thirty years, and reliance on it has found its way into the daily lives of millions. In fact, email has been around so long that its use has become passe for some people. This may be due to a quest for newer methods of communication or because email has become as odious as unwanted mail from the post office. In any case, it’s not going away anytime soon, especially for communications between individuals and healthcare providers. Many providers use email to communicate with patients where protected health information (PHI) may be exchanged. These folks should consider the HIPAA compliance requirements to protect PHI from unauthorized disclosure. Is Unsecured email HIPAA Compliant?It bears repeating that the Internet, and things like an email sent over the Internet, is not secure. Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed. What is increasingly common is that a patient’s email address has been entered into a record with errors. So, the email doesn’t get to the patient but does go to someone else who actually has the incorrect email address. This means the first rule of avoiding unauthorized disclosure of PHI is to get the email address right! HIPAA and email can coexist … it’s a matter of understanding the rulesWhat do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email? Many people are looking for specifics on HIPAA-compliant emails. HIPAA compliant email is discussed in the HIPAA FAQ pages. But like much of HIPAA, people in covered entities start with the premise they are to protect PHI. But they should be using reason to think about how they are protecting PHI. Under many HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc. But what is considered reasonable? The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) includes several statements on its HIPAA FAQs page. Notably … “The Privacy Rule allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message.” The above OCR excerpt gives us some guidance, but there are always more questions and nuances with such things when attempting to put them into daily practice. So let’s explore some of that. What if a patient initiates communications with a provider using email?The OCR says: “Patients may initiate communications with a provider using email. If this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted email or has concerns about potential liability, the provider can alert the patient of those risks and let the patient decide whether to continue email communications.” Must providers consent to the use of email for communications with patients?Note that an individual has the right under the Privacy Rule to request and have a covered healthcare provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via email rather than on a postcard, if email is a reasonable alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted email is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods or by mail or telephone, should be offered and accommodated. The OCR also interprets the HIPAA Security Rule to apply to email correspondence.“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an open electronic network as long as it is adequately protected.” To summarize the rules that apply to HIPAA and email …
Short answers to other complicated HIPAA questions about email.HIPAA compliance is a hot topic these days, and there are many questions about how it applies to email. To get you up-to speed on the most pressing issues, we’ve compiled this list of some common queries and their answers!
HIPAA and email continued …So how should hospitals, medical practices and other healthcare providers ensure they’re using HIPAA compliant email? I’ll cover that in Part II of this series. Stay tuned. The Health Insurance Portability and Accountability Act (HIPAA) applies to entities that provide healthcare services. Entities affected by HIPAA include:
The rules were created in order to protect the private health information (PHI) of individuals. The 411 on Private Health InformationIn order to avoid violating HIPAA, you need to understand the concept of private health information and be fully informed about what is considered PHI. PHI is any information that could potentially identify an individual and his/her medical records, including:
Basically, anything that could help someone determine a person’s identity is considered PHI. The Challenges of Sending Medical InformationPatients and other providers need to know certain information in regards to possible medical conditions or treatment. The information must be sent, either by email, fax, or through the mail. The problem comes in sharing “need to know” information without violating HIPAA regulations.How can you stay compliant? Let’s look at the various methods for sending medical information. Send by EmailPatients and providers often appreciate the ease of emailing medical information. Data can be delivered in seconds without having to print or mail anything. Easy right? Wrong. Certain encryption standards must be met. The most popular email systems like Gmail, Microsoft Exchange, and Outlook use SSL or TLS encryption protection. Encryption means the information is disguised so an unauthorized person cannot read it. However, SSL and TLS alone do not provide enough protection. If you’re sending medical information via email you must:
In order to comply, you would need a specialized email encryption service. These services add extra protections to secure PHI and ensure only the authorized person can access it. Send by FaxFaxing PHI is another quick and easy method; however, it can be problematic. Often, fax machines are kept in a public area. Incoming faxes might sit in a tray for hours until someone comes to check. In turn, anyone walking by can see printed faxes sitting out in the open. HIPAA fax rules must be applied in order to ensure that only the authorized person receives the PHI:
It is possible that the insecure nature of fax machines—and the growing use of email—may soon render faxing of PHI obsolete. Send direct by US MailThe final method for sending PHI is through the mail. Here too you must comply with HIPAA rules. In some cases, PHI should even be sent by certified mail, which means the intended recipient needs to sign for it. Certified mail provides prove that the mail was delivered and verifies when it was received. It also ensures you have a record of everyone who received the information in case the patient ever asks or if you are ever audited for compliance. First class mail is a protected class of mail and is acceptable for certain types of notices. Lastly you should never use standard mail under any circumstance when sending PHI. There Are HIPAA ExceptionsAs with any rule, there are always exceptions. The HIPAA Omnibus Final Rule introduced a number of updates in 2013. The updates cover entities that create, store, receive, or transmit PHI. The new rules apply to entities that store electronic information as well as physical records. HIPAA Conduit Exception RuleThe main HIPAA exception has to do with entities that are classified as “conduits.” In this case, the definition of a conduit is an entity that only transmits or transports PHI. Conduits include:
These conduits cannot have access to the actual PHI, and they can only store it temporarily. The exception allows for a distinction between organizations that transmit information versus those that provide ongoing storage. HIPAA differentiates them as “transient vs. persistent.” Who Is Not Included in the HIPAA Exception?The HIPAA Exception does not apply to providers that provide faxing or emailing services to transmit or transport medical information. It also excludes organizations or businesses that store electronic PHI (ePHI). Such entities are considered business associates (BA), and they must sign a BAA. BAs might include cloud hosting companies and fax, email, or SMS providers. If you are working with an entity that provides these services and they will not sign a BAA, you should be very careful. Some will add CE protections like disabling automatic forwarding of emails and disabling SMS texting. While this absolves them from having to sign a BAA, your organization could still be at risk of noncompliance. EOS Can Help with Printing and Mailing ServicesWe are your one-stop-shop for marketing, printing and mailing services. If you are engaged in HIPAA mailings or any other healthcare marketing endeavors, you need a partner who understands the game. We offer an extensive range of services, and our knowledgeable team stays on top of the ever-evolving HIPAA exceptions and rules. Contact us today to learn more about healthcare solutions. |