What method of sending mail is considered the most secure to maintain compliance with Hipaa?

Part one of a two-part series on HIPAA and email.

Inhaltsverzeichnis Show

Is Unsecured email HIPAA Compliant?
HIPAA and email can coexist … it’s a matter of understanding the rules
What if a patient initiates communications with a provider using email?
Must providers consent to the use of email for communications with patients?
The OCR also interprets the HIPAA Security Rule to apply to email correspondence.
To summarize the rules that apply to HIPAA and email …
Short answers to other complicated HIPAA questions about email.
HIPAA and email continued …
The 411 on Private Health Information
The Challenges of Sending Medical Information
Send by Email
Send by Fax
Send direct by US Mail
There Are HIPAA Exceptions
HIPAA Conduit Exception Rule
Who Is Not Included in the HIPAA Exception?
EOS Can Help with Printing and Mailing Services

Email has been widely used by both businesses and the general public for much of the last thirty years, and reliance on it has found its way into the daily lives of millions. In fact, email has been around so long that its use has become passe for some people. This may be due to a quest for newer methods of communication or because email has become as odious as unwanted mail from the post office. In any case, it’s not going away anytime soon, especially for communications between individuals and healthcare providers. Many providers use email to communicate with patients where protected health information (PHI) may be exchanged. These folks should consider the HIPAA compliance requirements to protect PHI from unauthorized disclosure.

Is Unsecured email HIPAA Compliant?

It bears repeating that the Internet, and things like an email sent over the Internet, is not secure. Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed. What is increasingly common is that a patient’s email address has been entered into a record with errors. So, the email doesn’t get to the patient but does go to someone else who actually has the incorrect email address. This means the first rule of avoiding unauthorized disclosure of PHI is to get the email address right!

HIPAA and email can coexist … it’s a matter of understanding the rules

What do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email? Many people are looking for specifics on HIPAA-compliant emails. HIPAA compliant email is discussed in the HIPAA FAQ pages. But like much of HIPAA, people in covered entities start with the premise they are to protect PHI. But they should be using reason to think about how they are protecting PHI.

Under many HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc. But what is considered reasonable? The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) includes several statements on its HIPAA FAQs page. Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message.”

The above OCR excerpt gives us some guidance, but there are always more questions and nuances with such things when attempting to put them into daily practice. So let’s explore some of that.

What if a patient initiates communications with a provider using email?

The OCR says: “Patients may initiate communications with a provider using email. If this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted email or has concerns about potential liability, the provider can alert the patient of those risks and let the patient decide whether to continue email communications.”

Note that an individual has the right under the Privacy Rule to request and have a covered healthcare provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via email rather than on a postcard, if email is a reasonable alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted email is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods or by mail or telephone, should be offered and accommodated.

The OCR also interprets the HIPAA Security Rule to apply to email correspondence.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an open electronic network as long as it is adequately protected.”

To summarize the rules that apply to HIPAA and email …

Email communications are permitted, but you must take precautions,
It is a good idea to warn patients about the risks of using email containing PHI,
Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want to be shared; and
Providers must take steps to protect the integrity of information and protect information shared over open networks. For instance, sending medical records via email should only be done using a secure HIPAA compliant email application. Or if the patient acknowledges you are going to send medical records using an unsecured email.

Short answers to other complicated HIPAA questions about email.

HIPAA compliance is a hot topic these days, and there are many questions about how it applies to email. To get you up-to speed on the most pressing issues, we’ve compiled this list of some common queries and their answers!

Can protected health information be emailed?	Yes, but take care to make sure the email address is correct and the patient has agreed to receive emails containing PHI – even if you encrypt them.
What is required for HIPAA compliant email?	Patient consent is highly advisable. Encouraging patients to send messages via the patient portal in your EHR system is a good way to attain secure communications. Utilizing a secure email application is also a way to ensure the PHI in an email remains private.
Is encryption of email required for HIPAA compliance?	No, but see #2 above for strategies that are highly advisable for protecting PHI.
What is a HIPAA compliant email application?	HIPAA compliant email, or secure email, is usually a separate application from email applications like Gmail, Outlook, or Apple Mail. A secure email application encrypts the text of an email, plus any attachments. The recipient receives a notification via email and is directed to a website where they can log in and retrieve the text or information in the email.
Are patient names and email addresses considered PHI under HIPAA?	Yes. HHS specifically states: “Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).” In the parenthesis in the line above, it’s easy to extend that list to things like “email address, phone number, IP address”, and more.
Is email correspondence between doctor and patient part of the medical record?	If the email correspondence is related to the patient’s care, it should generally be included in the medical record.

HIPAA and email continued …

So how should hospitals, medical practices and other healthcare providers ensure they’re using HIPAA compliant email? I’ll cover that in Part II of this series. Stay tuned.

The Health Insurance Portability and Accountability Act (HIPAA) applies to entities that provide healthcare services.

Entities affected by HIPAA include:

Healthcare providers
Health plans
Healthcare clearinghouses

The rules were created in order to protect the private health information (PHI) of individuals.

The 411 on Private Health Information

In order to avoid violating HIPAA, you need to understand the concept of private health information and be fully informed about what is considered PHI.

PHI is any information that could potentially identify an individual and his/her medical records, including:

Names
Locations (state, city, street name/number, address, zip code)
Dates (birth date, admission/discharge dates, death date, dates that indicate age)
Phone and fax numbers
Email address
Social Security numbers
Medical record numbers
Health plan numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
URLs
Internet Protocol (IP) addresses
Biometric identifiers, such as fingerprints or voice recognition
Full facial images or any comparable images

Basically, anything that could help someone determine a person’s identity is considered PHI.

The Challenges of Sending Medical Information

Patients and other providers need to know certain information in regards to possible medical conditions or treatment. The information must be sent, either by email, fax, or through the mail. The problem comes in sharing “need to know” information without violating HIPAA regulations.

How can you stay compliant? Let’s look at the various methods for sending medical information.

Send by Email

Patients and providers often appreciate the ease of emailing medical information. Data can be delivered in seconds without having to print or mail anything. Easy right?

Wrong. Certain encryption standards must be met.

The most popular email systems like Gmail, Microsoft Exchange, and Outlook use SSL or TLS encryption protection. Encryption means the information is disguised so an unauthorized person cannot read it. However, SSL and TLS alone do not provide enough protection.

If you’re sending medical information via email you must:

Encrypt the PHI
Have a method of verifying the identity of the person who is authorized to receive the information
Have a method of revoking access to the information when it’s no longer needed or if you sent the information in error

In order to comply, you would need a specialized email encryption service. These services add extra protections to secure PHI and ensure only the authorized person can access it.

Send by Fax

Faxing PHI is another quick and easy method; however, it can be problematic. Often, fax machines are kept in a public area. Incoming faxes might sit in a tray for hours until someone comes to check. In turn, anyone walking by can see printed faxes sitting out in the open.

HIPAA fax rules must be applied in order to ensure that only the authorized person receives the PHI:

Fax machines should be kept behind a locked door
Faxes should be stored in the machine’s memory and only printed by an authorized user

It is possible that the insecure nature of fax machines—and the growing use of email—may soon render faxing of PHI obsolete.

Send direct by US Mail

The final method for sending PHI is through the mail. Here too you must comply with HIPAA rules. In some cases, PHI should even be sent by certified mail, which means the intended recipient needs to sign for it.

Certified mail provides prove that the mail was delivered and verifies when it was received. It also ensures you have a record of everyone who received the information in case the patient ever asks or if you are ever audited for compliance.

First class mail is a protected class of mail and is acceptable for certain types of notices. Lastly you should never use standard mail under any circumstance when sending PHI.

There Are HIPAA Exceptions

As with any rule, there are always exceptions. The HIPAA Omnibus Final Rule introduced a number of updates in 2013. The updates cover entities that create, store, receive, or transmit PHI.

The new rules apply to entities that store electronic information as well as physical records.

HIPAA Conduit Exception Rule

The main HIPAA exception has to do with entities that are classified as “conduits.” In this case, the definition of a conduit is an entity that only transmits or transports PHI.

Conduits include:

US Postal Service, UPS, Fed-Ex, DHL
Couriers and electronic equivalents
Internet service providers (ISPs)

These conduits cannot have access to the actual PHI, and they can only store it temporarily. The exception allows for a distinction between organizations that transmit information versus those that provide ongoing storage. HIPAA differentiates them as “transient vs. persistent.”

Who Is Not Included in the HIPAA Exception?

The HIPAA Exception does not apply to providers that provide faxing or emailing services to transmit or transport medical information. It also excludes organizations or businesses that store electronic PHI (ePHI).

Such entities are considered business associates (BA), and they must sign a BAA. BAs might include cloud hosting companies and fax, email, or SMS providers.

If you are working with an entity that provides these services and they will not sign a BAA, you should be very careful. Some will add CE protections like disabling automatic forwarding of emails and disabling SMS texting.

While this absolves them from having to sign a BAA, your organization could still be at risk of noncompliance.

EOS Can Help with Printing and Mailing Services

We are your one-stop-shop for marketing, printing and mailing services. If you are engaged in HIPAA mailings or any other healthcare marketing endeavors, you need a partner who understands the game. We offer an extensive range of services, and our knowledgeable team stays on top of the ever-evolving HIPAA exceptions and rules.