I have been getting a great deal of inquiry on the question of emailing PHI. From a HIPAA compliance perspective, should a provider send email to a patient?
The answer is, it depends.
There are so many benefits to email: the speed, the ability to address an issue without scheduling an appointment, the assistance to patients who need regular management of their meds, blood levels, or rehabilitative exercise routines. But the inherent insecurity of email is always there, and places the provider at risk of compliance failure. So, what do the regulators say?
In its FAQ section, DHHS specifically says that the
HIPAA Privacy Rule permits healthcare providers to use email to discuss health issues and treatment with their patients, so long as they provide "reasonable safeguards when doing so," such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.
Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements.
The HIPAA Privacy Rule gives patients the right to ask for "alternative communications" via email, where available. If a patient initiates an email correspondence, the healthcare provider may assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. But the provider still has the responsibility of maintaining the confidentiality and security of the patient's PHI. DHHS suggests that "
If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications."
However, in response to a question of whether the HIPAA Security Rule allows for sending electronic PHI (e-PHI) in an email or over the Internet,
DHHS's response is a bit more cryptic. While not
expressly prohibiting the use of email for sending e-PHI, the provider still must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected. What does "adequately protected" mean?
And don't forget the HITECH Breach Notification Interim Rules that give providers who encrypt their data in accordance with National Institute of Standards and Technology ("NIST") standards a safe harbor by exempting them from extensive notification requirements even if a security breach were to occur. In other words, providers would not have to write letters, contact the media or DHHS, among mandates, if they lost a laptop or misfired email that contained appropriately encrypted PHI. Now there's a big incentive to encrypt your data.
And now, here comes the latest. Apparently, Adam Greene, Senior Privacy and Security IT Advisor to the OCR, spoke at last week's Health Information Management Systems Society conference in Orlando. Apparently, along with the many items he touched upon concerning the upcoming HIPAA and HITECH changes, Mr. Greene was reported to have said that although HIPAA and the HITECH Act do not explicitly mandate the use of encryption, the HIPAA security rule makes encryption "addressable," meaning that "it's required if it's reasonable and appropriate."
He added, "For electronic health records, it is generally reasonable and appropriate to encrypt."
Where does that leave you? For the provider, especially the small practice, you may want to start by considering the following, understanding that nothing guarantees that a patient won't file a complaint under HIPAA, starting that parade of regulators through your door:
1. Know your system, and understand that "addressable" HIPAA Security items do not mean "optional" Security items, especially in today's regulatory environment. This applies to practices great and small.
2. Do you have encrypted email? For those of you whom I've met who do not know, or do not want to know, you need to find out. If your email is or can be encrypted, how will the emailed be received and opened by the patient? While the
HIPAA Privacy Rules suggest that patient request for email should be honored, the
HIPAA Security Rules simultaneously require that you comply with and document the required steps and decisions as these questions relate to your practice.
3. As part of your HIPAA policies, procedures and training that ensure the protection and integrity of paper and electronic PHI, include a security policy and procedure that limits the PHI that is shared by email, and that ensures careful exchanges, such as the checking the email address prior to transmission or sending a test email to the patient to ensure accuracy.
4. For what it is worth, some providers include a disclaimer on their emails, reminding the receiver that the email is confidential and only for the intended recipient.
5. Work with a knowledge expert on this issue. Health information technology is very likely completely foreign to providers who were trained to heal patients, not understand computer and internet security.
Email is here to stay, and providers and patients alike often swear by its usefulness. But to avoid becoming a statistic of the ever-increasing enforcement activities, work to ensure that you are sending the most secure email possible for your practice.
