Consultants to the Healthcare Industry
Call Us: (909) 931-7600

HIPAA and Email: there are rules

Jim Hook, MPH

HIPAA and EmailPart one of a two part series on HIPAA and email.

Email has been widely used by both business and the general public for much of the last twenty years, and reliance on it has found its way into the daily lives of millions.  Recently, email has become even more accessible with the introduction of the smartphone.  However, leave it to healthcare to throw a curve ball to this cozy relationship.  The fact is, HIPAA and email have long been at odds.

 

HIPAA Privacy and Security rules are concerned with email, and the web in general

Across the board, healthcare providers are increasingly

  • using, or
  • are considering using, or
  • are being asked to use,

email to communicate with patients about their medical conditions.  If you find yourself described here, then  it bears repeating that the Internet, and things like email sent over the Internet, is not secure.  Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed.  And it’s that “possibility” that becomes the area of focus.

 

HIPAA and email can coexist … it’s a matter of understanding the rules

So what do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email?

Under many of the HIPPA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc.  But what is considered reasonable?  The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPPA FAQs page.  Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

What if a patient initiates communications with a provider using email?  The OCR says:

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”

Must providers acquiesce to use of email for communications with patients?

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

The OCR also interprets the HIPAA Security Rule to apply to email communications.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

 The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

 

To summarize the rules that apply to HIPAA and email …

  • Email communications are permitted, but you must take precautions;
  • It is a good idea to warn patients about the risks of using email that includes patient health information (PHI);
  • Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want shared; and
  • Providers must take steps to protect the integrity of information and protect information shared over open networks.

 

HIPAA and email continued …

So how should healthcare providers ensure they’re using HIPAA compliant emailI’ll cover that in Part II of this series.  Stay tuned.

 

74 Comments to “HIPAA and Email: there are rules”

  1. So…In light of all this, I have a question regarding HIPPA compliant email protocol for a clinical counseling practice. In communications with our phone answering service, they will often email us to let us know our clients have scheduled appointments using abbreviated names. For example, for “Bobby Howard” they might say, “Bobby Ho called today and scheduled an appointment for DD/YY at XX pm.” It’s terribly confusing to me, especially given that we might have a client actually named “Bobby Ho”! So, can client full first and last names be used? If not, I think a preferable alternative would be first initial, last name. “B. Howard”. Is there a rule here?

    Thanks – great article!

    Ryan

    • Ryan, the rules are the same old rules, whether email communications are directly between providers and patients or between providers and a vendor like an answering service: don’t put PHI into an unsecured email. An email to a provider of any kind with a patient’s name and the fact that they have an appointment could be considered a breach, even if the likelihood of the email being intercepted by someone who shouldn’t have it and the patient being identified, is vanishingly small. Using an abbreviated name of any kind has it’s own problems. What if you have more than one patient with the same first initial and last name? And adding another identifier like a birth date only makes it worse.

      There are several possible solutions as we outlined in the blog, like getting a patient’s consent to allow emails about appointments or using a HIPAA compliant email system. The answering service could simply draft emails but not send them, and instead, fax over copies of the unsent emails in the morning. Of course they would have to delete the drafts religiously so nothing is sent inadvertently. They could also just keep a typed list that they fax over.

      If there was ever a complaint alleging a breach of privacy, both the answering service and your organization could be in trouble: the answering service for committing the breach, and your organization for not enforcing the provisions of the Business Associate Agreement you should have in place with them.

      There has not been a major breach case involving email as yet, but there is almost certain to be one once a patient complains to the Office of Civil Rights that privacy was breached because emails with PHI were made public. Don’t be the test case for that occurrence!

  2. do you have any suggestions of some HIPAA compliant email services?

    • Naomi, we don’t recommend specific products. If you do a search for HIPAA Compliant Email, you will see products by several vendors. I recommend reviewing two or three to find one that meets your needs.

  3. I have an ex-spouse who is trying to have emails I send to my son’s therapist forwarded to him. These emails are very private and include information about how his day/week went and my own personal concerns about situations.
    It’s obvious this is an issue of control and I’m aware of HIPPA. When it comes to my emails to the therapist, does my ex-husband have access to them or do they remain private?

    • Marie, the rules on disclosure of PHI (personal health information) that apply to Covered Entities, like a therapist, are pretty clear: PHI cannot be disclosed to outside parties without the consent of the patient, or a person authorized to give consent for the patient. There are several exceptions, of course, like disclosures for healthcare operations such as billing and making referrals to other providers. From your description, it is not clear if your emails become part of the patient’s medical records, which would make them PHI. Any Covered Entity using email to communicate with patients should get written consent for using email, and, if possible, use an email application that is encrypted.

      Your situation also points up one of the disadvantages of using email to conduct discussions about private health information. It is very convenient, but you can never be sure it will not be compromised, just because of the nature of the internet, or because of the ease of sharing, whether authorized or not. In the end, it sounds like you need to discuss the issue with the therapist.

  4. Can a pediatric practice email or fax vaccine records to parent of patient without written consent?

    • Laura, faxing is considered a secure method of sending records containing PHI (which would include vaccine records), but you should have the parent’s approval to fax them. You can record a note in the medical record that the parent requested the records be faxed, and that’s what you did, or you can ask the parents to complete a regular release of records form that includes faxing as the method of delivery.

      Sending these records by email (by which we mean regular, unsecured email) is more problematic. If you do not have a secure email application to use to send them, then you definitely should have consent in writing to use email to send the information. As part of that consent, you should warn the parents that email is not considered a secure method of transmission, and the records are subject to being found and accessed by someone else. The idea is to make it an informed consent.

  5. I just received an email from my ob/gyn about a health fair they are having. I can see the names of all recipients of the email. Is this a violation?

  6. I recently received email correspondence from a government body with a different person’s name and address. Is this still considered a violation of hippa?

    • You don’t specify if the content of the email contained personal health information about another person. If it does, it could be a HIPAA violation. If it does not contain PHI, it would not be covered by HIPAA.

  7. Is it PHI under HIPAA if a patient’s name is included in an email regarding a) a check that was received by a practice or b) a bounced check paid to the practice by a patient?

    • Barbara, this is something of a grey area. You don’t specify the exact email exchange, but if you sent an email to a patient regarding a bounced check, with no information about the services received, dates, etc., then it may not be considered a breach of privacy. To be safe (or at least safer), it is always best to obtain the patient’s consent before there is any correspondence via unsecured email. Or, make use of a HIPAA-compliant email application, of which there are several to choose from.

      If your patient complained to the Office of Civil Rights that his/her privacy was violated because of the use of email to correspond, even about payment, you are at the mercy of the OCR attorney assigned to investigate the complaint. They are going to assume a covered entity like a medical practice knew the rules and the guidance they have issued, even if patients didn’t object at the time.

  8. My employer plans to replace a patient portal product in the future. The patient portal allows the patient to send secure messages to their care provider as well as view lab results, renew prescriptions and schedule appointments. With the current patient portal, the patient’s email address is collected and stored as demographic data.

    When it comes time to bring the new patient portal on line, methods to inform current patient portal users are in discussion. One of the options suggested is to send a “blast email” to the patients who are actively using the current patient portal. Notifying by email those patients who gave their email address seems like a quick and efficient method to get the word out that the patient portal vendor is changing.

    The patient’s name would not be included in the email, but the patient’s email will be used. No other patients will see another patient’s email address and no other PHI except for the patient’s email address will be used.
    Under HIPAA guidelines, would this approach be acceptable?

    • The answer depends on the terms and conditions that apply to patients who sign up to use the portal. Are there specific provisions that advise patients their email address is collected and may be used to contact them in the future? If not, when the Office of Civil Rights comes to investigate a complaint from someone, they may decide you did not employ reasonable safeguards when using email to communicate.

      The general advice from the FAQs page of the OCR regarding use of email (http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html) advises providers to employ reasonable safeguards when using email for communications, and even sending a test email prior to sending an email with actual information to confirm you have the right email address. One of the issues that comes up with test emails or with the blast email notification regarding the portal, is that you have no idea who may be reading the email at the patient end, including family members who are sharing the email address and who didn’t know the patient was going to the provider! We always recommend documenting consent from the patient on the use of email during a visit, so there is no question about it’s use.

      What about posting the change on the current portal and even redirecting patients to the new portal location when they attempt to login after the change. That way patients get notified and redirected at exactly the time they are seeking to connect. And it leaves aside any questions about the use of email for this purpose.

  9. My employer is requiring me to Email my Healthy-You results to some third-party person. Joanna (somebody ) at some Email.com. I have no idea who this person is, and under duress of being charged $900 to pickup additional insurance costs, I am having to consider doing this. Not only do I have to submit this information my children covered under the plan also have to submit it. I have no idea what they are going to do with the information. This information will contain my name, and test results. I also have to access their website and fill out a questionaire about my ‘lifestyle’.
    Is this legal?

    • Charles, your question raises several other questions. First, we at The Fox Group do not consider ourselves arbiters of legal or illegal practices. That said, we would advise anyone who is asking for information containing PHI (which your test results probably are) to make sure they have a way for people to send them this information via a secure email system, or input it into a website with a secure portal. It is not a violation of the HIPAA Privacy Rules for an individual to use an unencrypted or non-secure method to send their personal information electronically. Interception of emails and attachment by third parties may be extremely unlikely, but it is not impossible. You may want to talk to your employer about your discomfort with sending material over an unsecured email channel, but your employer (assuming he or she is not a healthcare provider) is not covered by HIPAA regulations.

      As far as entering information in a website, if the url is “https”, then it is a secure channel and there is no HIPAA privacy or security issue.

  10. I am finding that, even after attending a HIPAA webinar, the e-mail rules are not the clearest. My specific question is, would it be okay to send e-mails using Microsoft Outlook/Outlook Web App, within our organization, including the first initial, last name, and DOS? For example, “Can you please fax the report from J. Doe’s 01/01/0001 visit to the insurance?” If not, what amount of information would be acceptable to send from one individual to another, within our organization, only?

    Thanks!

    • The thing about sending emails within your organization is that, unless they are going out within a closed network, they may still be traveling over the internet and be subject to interception. An email from an organization with an address that allows the unintended recipient to determine it is from a medical provider (and in your case, a specific type of provider), the name of the patient and the date of service, discloses that the patient had a medical service at that organization on a specific date. This may be minimal exposure of PHI, but it may be enough for the investigative authorities to decide it is a breach. Options you could use would include using the account number instead of a name, or even using encryption/decryption software to encrypt a document with the information you are trying to transmit. There are free programs available that could be used, and you can standardize the password so you do not have to worry about that aspect. The former is very simple; the latter more complicated but lends itself to more information being trasmitted.

  11. We are testing our care portal. So to remind patients to access their portal for an upcoming appointment can we send an email from Microsoft office 365 (hipaa compliant) to the patient with a notice to check our care portal for “a secure announcement”. Also put the disclaimer and warning at the bottom that the should share only minimal ephi and are encouraged to use the portal to send secure messages back to our office rather than replying to our careportal email back. what do you think

    • An email message to a patient encouraging them to visit your patient portal is probably innocuous enough to go out as a non-encrypted email. We strongly recommend you have documentation of consent to send any email to patients before sending even an email like the one you describe. You just never know who is reading the email at the other end, and sometimes even family members are visiting healthcare providers without telling each other. We would also recommend your disclaimer reminds patients that email is not a secure method of communicating with you, and that they should not include any personal health information in an email. Only communications sent through the portal are secure. There is some suggested language in the second part of the series on this topic at http://www.foxgrp.com/blog/hipaa-compliant-email/.

      I am not sure why you describe Microsoft Office 365 as “HIPAA Compliant”. You may have secure channel to your applications in the cloud, but that does not mean if you send an email from a cloud application that it is arriving at the destination via a secure channel.

  12. Is it a violation if you email a co-worker a patient refund request? It would include patient name and address and the dollar amount?

    • Kathy, you don’t specify if the email you are using is an intra-network (contained in the business), or if it uses any external connectivity, servers, etc. It can be problematic to put too much information in an email that uses external connectivity, even when the information you are sending is limited. A name, address and a link to a specific practice, especially if it identifies the type of specialty, could be a violation if it were ever intercepted. You might consider using a patient’s account number to identify the patient, if that permits the person at the other end to identify the patient properly for the purpose of a refund.

      • Thank you,it is external connectivity. If you email a patient name and or with an address but no clinic to identified the specialty, is that too considered a violation?
        On a different subject, what if a billing resource gave credential information via email? for example: a clients provider number, NPI, SSN and provider website access? Would that be a HIPAA violation?

  13. We are in the process of updating our policy regarding mailing medical records to authorized parties, i.e., insurance, auditors, etc. I’m having difficulty finding information on emailing an entire record (encrypted). Am not necessarily seeing anything prohibiting the use of encrypted email to send patient records. But I’m not really seeing anything addressing the complete record either. Thank you very much

    • Elizabeth, there is no distinction between the rules for emailing PHI that represents a minimum amount of information vs. an entire patient medical record. If the text of the email has enough information to identify the patient and where he or she was treated. the email should be encrypted. If there is an attachment with PHI, we would recommend encrypting the attachment separately so in case the email wound up in an unprotected state, the attachment still could not be viewed without a separate password.

  14. In my pediatric practice we use a secure patient portal and we just started using constant contact to send newsletter type regular emails to our patients that contain no PHI. My Partner just received a “Happy Birthday” email from his car dealership on his Birthday. He would like to send “Happy Birthday” emails via Constant Contact to all our patients as their birthdays come up as a nice gesture and a subtle reminder to make an appointment for their yearly visit if they have not made one already. If these insecure emails go out with a first name and no other information (except an implied DOB from the date the email was sent) is it a HIPAA violation? The ePHI is first name, likely last name in the email and DOB. Also assume we have not asked for permission from the family to send this email. In summary, if the email gets into the wrong hands, is knowing someone’s DOB, name, and the fact that they are patients of our practice enough to make it a violation?

    • Andy, the short answer is yes, you may be found to be violating a patient’s privacy by sending an email, even one with minimal information, if you are sending emails to patients without the consent of a parent or someone who can give consent. In some states, even an email address is considered personal identifying information that should not be used without consent. Would the emails go to the patient’s email account? Is the patient a minor? Given the sensitivity of electronic communications with children, it is even more important to have documented consent.

      The HIPAA Omnibus Final Rule of 2013 also contained some important clarifications and extensions on the use of PHI for marketing purposes. See our blog on the topic at http://www.foxgrp.com/blog/sale-of-phi/. While a healthcare provider sending its patients a reminder about a recommended service may be permitted without specific patient consent to use PHI for marketing, a third party Business Associate sending such a reminder (presumably being compensated for the service) definitely seems to fit into a category where patient consent to use PHI for marketing purposes is required. If reminder messages are part of the activities you plan on using a service like Constant Contact for, getting consent from parents to send such notices or other marketing materials should also obtained.

      Electronic communications can definitely improve patient satisfaction and communication of important issues, but must be done with utmost caution, especially when minor children are involved.

  15. I just requested a billing company send me a fill statement of services, not kist the total bill. I asked that it be emailed. She refused citing HIPAA. I said I would send am email authorizing this email and releasing them. I was told this is not allowed under HIPAA. This seems foolish. My bill, my services, my consent. What’s the problem? True or another “we can’t do anything because of HIPAA” excuse?

    Thanks!

    • A written authorization from you allowing the billing company to send you a full statement of services, that may contain PHI, via email, should be enough for the company to send you the information you have requested. You might try contacting the healthcare organization that the billing company is working for to see if they can help convince the billing company to send you the information, or have the billing company send them the statement and they can forward it to you.

  16. Thank you very much for offering your opinion. I appreciate it!

  17. If a person accidentally emails a spreadsheet to a non-corporate mailing list containing information of a community clinic program (like a Yoga class) associated to a hospital department with names, addresses, phone numbers, age, a diagnosis (not codes – just words – spinal, cva right side), and payment status (no other financial info)? The names could be former patients or community members involved in the program. Their is no identifier stating they were or were not a patient of the hospital, just that they did or did not pay for participation in the clinic program. We consider them clients of the program, but are not patients in the hospital when they opt to participate in the program/class.

    • It sounds like you have a breach on your hands. As soon as you have diagnosis information, whether verbal description or ICD9 codes, plus other identifiers, like names, etc., you have PHI, and per your email, it has been potentially disclosed to persons who do not need it and should not have it. You should contact your organization’s Compliance Officer and let them know what has happened. Also, you should figure out who all received the spreadsheet and prepare to ask them to return it or delete it ASAP. Good luck!

  18. Hi. I am trying to firm up our email policy for the interim period before we are able to invest in an encrypted email system that will be internal to a new portal system for our organization. We need to be able to email a prescription medication name and some type of identifier for the patient in order to clarify a prescription order for that patient. We only communicate by email with providers – not patients.

    In your response to Crystal D in #10 above, you suggest using an account number instead of a patient name to communicate with patients in an unencrypted email setup. I would like for our policy (again, in the interim) to say that our organization will not use patient names OR initials together with information about their medications, but will only use the 16 digit random number generated and assigned by our portal. Using this number that could only connect to PHI by hacking or legitimately accessing our online portal would seem to eliminate the ability to associate PHI in a hacked email system with actual patient initials, which could theoretically be guessed.

    Given that, I am still confused as to how it would be okay to email a medical record number through an unencrypted system, if “Medical Record Numbers” is one of the identifiers listed in HIPAA for identifying PHI. Is that correct? While this may still be PHI, in my mind for the interim period, this is preferable to initials, as there is less chance that the email AND the HIPAA-compliant portal system could be compromised for a true breach.

    Any thoughts would be appreciated. Thanks!

    • As you noted, in my reply to Crystal D., I mentioned using account numbers. The context was Crystal asking about emails being sent to other persons in her organization, who presumably have access to the account number in the email, and can then respond to the request intelligently. The communication was not with patients, at least as she described it.

      You are describing a situation where you want to communicate with other providers about clarifying prescriptions. I assume the other provider would be a pharmacy. You also mention you have or are about to have a portal for the organization.

      Most portal systems operate using https, or secure channels, when information goes over the internet via a portal. That usually addresses the issue of security of the info. Use of any number, even one generated by the portal application, has to be accessible to both parties for messages to be understood and acted upon properly.

      The best I can recommend is, if communication via email (plain vanilla email, going out via your computer or server) is required in the interim prior to the availability of a secure portal, you could add an identifier to the original prescription form, that could be referenced by the pharmacy when you have to send these clarifications. The identifier could certainly be a random number generated by your portal, as long as the pharmacy can relate the number to the patient in question. Of course, faxing a clarification is also a secure way to communicate with a pharmacy.

      I hope this helps!

  19. what is the info is a pdf with just a first name and room number and details about status of patient?

    • Gloria, you do not specify who is sending and receiving this information. A form being emailed with the information you describe, but where it is possible to infer the location (a hospital?) and then locate the hospital and identify the person, is a situation waiting for exploitation. It would be better to use a number of some kind that is difficult to readily associate with a patient, rather a first name and room number. You have to think: how easy would it be for me to identify a person if I knew what hospital they are in, the first name and the room number? Not very hard, I think.

  20. Hello, My wife is participating in a clinical study. The lead investigator sent an email communication to the study participants and my wife’s and the other e-mail addresses are all visible to the other recipients and other investigators and physicians. At least my wife’s, and it appears that many of the other e-mail addresses contain first initial and last name information. Your thoughts would be appreciated. Thank you.

    Here is the text of the e-mail with my redactions:

    “Dear participants:

    I am writing to stress your obligation to be at XXXXXX Care Center on the scheduled time and date (something you had agreed to do when signing the Consent Form). Cancelling at the last minute is a waste of time for the clinicians that were there and a waste of taxpayers’ money who fund this research. It is unacceptable behavior where there is no serious medical reason, and I have the authority to remove from study anyone who does not respect their appointment. I hope I do not have to do that.

    To help you, we have simplified the scheduling communication for coming weeks. XXXXXX XXXX Medicine Center has agreed that from now on scheduling for the virtual reality system will be done by our staff at XXXXXX, where therapy takes place. You will receive a call from Mr. XXXXXX XXXXX who is the computer engineer working with the experimental equipment in your room at XXXXX. His cell number is XXXXXXX. His email is XXXXX@gmail.com. Please email or text him your name and cell number as well.”

    • Ken, this type of communication is certainly borderline, for two reasons: Email addresses in some states are considered confidential information, so sending an email in such a way that all other email addresses are also disclosed, and coupled with name of the facility where the clinical trial services are offered, certainly is questionable from a privacy standpoint. Its borderline because apparently the clinical condition being studied is not mentioned directly.

      The organization administering the Clinical Trial could certainly ameliorate this concern by having all participants consent to receiving information, even protected health information, via email or text. And anyone sending mass emails can do it in such a way so as to avoid disclosing the email addresses of all the other participants.

      Let us hope the clinical study produces results for your wife and others that far exceed the borderline privacy concerns participants may have, and come about in spite of the level of customer service skill the lead investigator displayed in his message. Good luck.

  21. I am not sure if you can answer this, but my question is, now there are smartphones, I had a patient send in a picture of their Rx for medical equipment. Do you think this is acceptable ?

    At first, I thought absolutely not, but then I thought how Rx are faxed every day, is there a difference ?

    What are your thoughts or do you know where I can get an answer?
    Thank you.
    Pam

    • Texting is no more secure than regular (unecrypted) email. Faxing, up until recently, was considered secure because faxes were sent from point to point over telephone lines, not through the internet. With the advent of VOIP, including for use in faxing, even that may have to be reconsidered since it is a form of internet transmission. In any case, unless the sender is using an encryption application to send text messages, of which there are several now, you should avoid encouraging patients to text (or email) PHI to you.

  22. An email sent through the encrypted email network of the hospital from one student to another containing patient last name and room number?

    • Assuming the premise of a secure email network is correct, sending PHI through such a network should be in compliance with HIPAA.

  23. We use gmail for our inter-office communication. We have a password protected firewall associated with our office computer system. Can we supply patient first name, last name and DOS if we are trying to convey a message between each other. Some of our therapists do not have access to our system with the account numbers of our patients.

    • Although Google claims that emails sent within it’s server network go via TSL security protocol, which means they are encrypted, that is only true if the emails stay within the Google domain. Therapists who send you emails with PHI that are not routed exclusively in the Google domain would not be protecting PHI as required under HIPAA. Google also offers an encryption solution that may help (Postini) and is compiling statistics on how many people are using encryption when sending emails. https://www.google.com/transparencyreport/saferemail/

  24. Please advise the HIPAA compliance requirements regarding emailing patient x-rays via a non-encrypted email service…to either another dentist or the patient in question.

    • Since unencrypted email goes across the internet via a variety of servers, PHI sent this way may be subject to unauthorized disclosure, and such transmissions should be avoided. Having said that, if you ask a patient for permission to communicate with him or her via email, and they agree, then you can send PHI via unencrypted email. You can also ask for permission to share dental records, including x-rays, via email with other dentists or other medical care providers. Any such authorization should be requested in writing (or by means of a form you give the patient to fill out), and any restrictions specified by the patient on the use of email to send PHI must be observed.

  25. I am newly married. I work for a group of kidney specialists. I requested to have my email name updated with my new name and was told HIPPA requires it remain the same for tracking purposes. Can you tell me were I can find information on this.

    • There is no requirement in HIPAA that requires tracking an email address, let alone not adjusting for updates to email addresses, name changes due to marriage, etc., etc. HIPAA only addresses maintaining the privacy of Private Health Information collected by covered entities, e.g., medical practices, on their patients. If you are also a patient of the practice, then HIPAA applies to your medical record and identity information created and maintained by the practice. HIPAA does not apply to general employment records of employees, except to the extent that information might involve PHI. For instance, your employer may have access to some of your PHI when it receives information about utilization of services by persons covered by its employee health plan. But again, there are no requirements about not changing an email address for those purposes.

  26. I have a medical office and my email was hacked by an ex-spouse. I have communication with patients on that email as well as with my attorney.
    The ex-spouse claims that they were given the password to use. That is absurd and I never gave it to them especially since this is a different email address that I started three months after our divorce.

    I have contacted state police who got information from Microsoft and the ex’s place of employment servers tracking her IP address to the email account and they have contacted the prosecutor but he is wavering from prosecuting the ex because she says that she was given permission to be on the account.

    Do I need to tell the prosecutor anything else or do I need to alert someone else about the violation if the prosecutor doesn’t pursue it?

    • First of all, I am sorry for the situation you find yourself in.

      Depending on the content of the emails that were available for access, a prosecutor may want to know about the civil and criminal penalties for unauthorized disclosure of Protected Health Information. People have been prosecuted and even jailed for unauthorized disclosure, usually involving hospital staff who snooped in a celebrity’s medical record, and then sold information to a tabloid. I don’t know how you could tell if any of the PHI in any of these emails was disclosed outside of your wife seeing it, unless patients started calling you or you noticed dissemination of information that can be traced back to your emails.

      That said, and depending on how much and what type of PHI is in the emails, you should treat this as a breach – an unauthorized disclosure of PHI. We advise covered entities to obtain a patient’s consent to share information via email, but that only gives you some protection against the type of unauthorized disclosure that could result from someone intercepting and reading an email as it makes its way across various servers to get to its destination. In this case, there is a known incidence of a specific person with access to emails containing PHI. It does not matter how this access came about, of if anyone is prosecuted on not. Under any circumstances of potential breach, you have an obligation to evaluate the potential breach and notify patients and/or the authorities, or even the media, if there is a risk of harm to the patients affected.

      You can read more about the risk of harm concept at our blog at http://www.foxgrp.com/blog/hipaa-breach-definition-updated/. You can also get more detailed information at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/.

      Good luck with your situation. It is an unfortunate object lesson on many levels.

  27. I work in a counseling office. I get clients who quite regularly request me to email them with dates and times available for an appointment with a particular counselor or want they to know when their appt. with “xxxxx” is. They also request I confirm their appt. by email rather than by phone confirmation. I always throw the HIPAA regs. at them stating we cannot discuss PHI via emails. Are we legally able to adopt a policy for our business such as this? A Policy that states: Our office does not handle appointment confirmations, scheduling or canceling via email due to HIPAA regulations and our obligation to protect your PHI.

    • There is nothing in the HIPAA regulations that prevents you from adopting a policy that says you do not handle communications via email, but HIPAA regulations also don’t forbid you from utilizing that method of communication. The standard is to protect the privacy of your patients’ protected health information. It does not forbid any particular method of communication, and does not prescribe any particular method. Many practices have access to patient portals that offer a secure method of communication, therefore allowing exchange of PHI.

      We always recommend offering patients several options on how to contact them (phone, text, email, etc.). Email can be one of the methods, and you can specify the types of things you will put in email, and get the patient’s consent. That is one of the issues mentioned on the Office of Civil Rights FAQs about HIPAA. Since many patients may be used to getting information about appointments, etc. via email, they may question why your practice is saying use of email is a HIPAA violation, when it is not. But you should educate your patients, counseling them about not sharing information on their condition, treatments in progress, medications, etc., etc., that the internet is not a secure method of communicating, etc. And then you can offer the use of email if they give you an informed consent to receive such emails, for limited purposes, from you.

  28. (Hope this an appropriate question for the forum) As a BA, we are developing a new registration process for clients to use our services. When a new client registers they must create a login name and password. The common practice we see is, a new user uses their email address as a login name. Here’s the concern, small practices use free email services like Yahoo, Gmail, etc. and we are concerned about the security of an email address as a login name. Would it be more HIPAA compliant to require them to use something other than an email address as a login name? Thank you

    • There are not really gradiations of HIPAA compliance – you either are or you are not. I do not think there is anything inherently less secure in using an email address as a login name, vs. some other name they would have to select, since most of them would probably use a variation of their given name. It would be more important to require a “strong” password, e.g., a mix of letters (upper and lower case), numbers, symbols, etc., at least 8 or 10 characters in total. That would make logging in a more difficult task for someone phishing the login site.

  29. My web host (Bluehost) does not sign BAAs for the HTTPS secure websites on their server and they do not guarantee HIPAA/HITECH compliance with a HTTPS. I have a private dedicated server on Bluehost that hosts my HTTPS website. I would like my employees and physicians to enter ePHI into an online form, excluding the patient’s name. The identifier will be a medical record number from the billing company. This information is stored on the website and accessed directly, none of the ePHI (surgeon, anesthesiologist, time, ICD, CPT, quality data, etc.) is ever emailed or leaves the website storage on the server.

    Is this method HIPAA compliant?

    • Here are a couple of things to consider.
      1) You definitely need a BAA if the hosting site has access to the ePHI you are storing on the server. If the server is only accessible by you or your staff, including for maintenance purposes, then you are protecting the privacy of the PHI, as you are required to do. If the web hosting company can access the server for any reason, even if only for maintenance purposes, and will not sign a BAA, then you are allowing potential access to other people who have not agreed to maintain the privacy of the PHI. Any access would constitute an unauthorized disclosure, making you subject to the breach notification procedures. And even if there were no disclosure, covered entities are being fined under HIPAA because they are not protecting the privacy of PHI adequately – even when there is no unauthorized disclosure.
      2) If access by webhosting personnel is not an issue, then you should ask Bluehost for the level of encryption used in their secure channel (the https) that connects you to the server. It should be at least 128-bit encryption.
      3) You can also overcome any of these issues by encrypting the files before storing them on the server. There are very simple, free encryption programs available that you could use to encrypt these files. You can make a dedicated password for each file using the medical record number from the billing company, for instance. Then no matter what happens with access to the server, the PHI you have stored there would be considered protected.

      By the way, you do have a BAA with the billing company, correct?

  30. Hello –

    If we have a patient who has recently changed their phone number and we are unable to reach them via phone but we do have their email address, would it be permissible to email them to contact us to update their phone number even if we have not obtained their permission to email them? Would this be part of “healthcare operations,” or would it be considered a HIPAA violation?

    • A provider sending an email to a patient is disclosing a very minimal amount of PHI, but this should be weighed against the urgency of your need to contact the patient. If the email is designed to prompt a call because you have important information to pass on to them, and you have already tried a sending a notice via US Mail, then an email asking the patient to contact you may be justified, even if it potentially discloses a minimal amount of PHI, and provided the patient did not request not to be contacted via email.

      But if the email is being sent for the purpose of a routine update of a phone number, it probably better not to use email for such a request in the absence of permission to send email to the patient.

  31. I have a medical condition that requires me to find a donor for transplant. I want my personnel group to send a mass e-mail describing my condition and will absolve them from HIPPA laws. Is there any canned forms in PA for absolving employers from distributing these types of e-mails where the employee is asking for help?

    • Vince, there is no particular form to use to give your authorization for such a mass email. I recommend you draft the text of the email you would authorize the personnel group to send on your behalf, and include a statement authorizing them to distribute it, and to whom, as part of your email to the personnel group. Just keep in mind once such an email goes out, it may not stay with the audience you have in mind. You should make sure you are OK with potentially unlimited dissemination of the information about your condition before taking such a step.

      By the way, I hope you are also on the official lists for donated organs managed by organizations such as the United Network for Organ Sharing (UNOS). You may also want to encourage people in your email to consider becoming organ donors by visiting websites such as organdonor.gov.

      Good Luck!

  32. Excellent site, very helpful

  33. I’ve had problems with the billing dept. at my doctors office. First they yelled out my current bill information to an entire wishing area & had patients complain about how it was handled. Secondly they emailed me and copied multiple people in their office including my doctor which has now impacted our relationship. This was part of the email:

    It was brought to my attention that you had another visit with Dr. ******* on 2/10/2015 in our (specific) office and you could only afford to pay $5.00 toward your past due balance of $191.56. As I stated to you on 1/2/2015 you need to take care of your past due balance of $241.56, and provide us with your insurance card for any further treatment. You called in on 1/19/2015 and said you did not mean to miss your appointment on 11/24/2014, so as a courtesy we adjusted your account by $50.00 leaving your past due balance at $191.56.

    When you checked in to our (specific) office on 2/10/2015 you where aware of the fact that you needed to make full and final payment on your account prior to any more services being rendered. I have talked to you, and you have also been sent 3 past due collection letters from my office that state you are going to be placed with collections if you do not make payment. So instead of you taking care of the balance you made a fuss and made a payment of $(amount I paid) toward past due balance making the total amount due $(exact amount)

    Per Dr. ******* you will need to pay 50% of this past due balance which will be $ (exact amt) either prior to your appointment on 3/10/2015 or at the time of check in. Please keep in mind this is a requirement of you and we will not be able to render any further services until you take care of your past due balance. We have tried to work with you as much as possible, but you need to understand these are our office policies and these requirements are for ALL of our patients not just you.

    I realize this is incredibly unprofessional and I would assume it’s a violation but I’m curiouse what you think? Because it’s so negatively affected my relationship with his office and now my health – I’m contemplating filing a complaint.

    • You may have grounds for making a complaint about a violation of your privacy rights, depending on any other details in the email, and if you gave the doctor’s office permission to send you email with PHI in it. Ask the office for the name of the Privacy Officer, and for a copy of their Notice of Privacy Practices. That should have information on how you can file a complaint with the Office of Civil Rights, who investigates potential privacy breaches.

      • Thank you, I genuinely appreciate your help. I see my doctor again tomorrow and I’ll ask for the info you mentioned while I’m there. When this was on top of the incident where she scolded me in-front of an entire waiting area for having an outstanding balance, I just felt almost as if they didn’t take HIPPA seriously nor did they understand that my health issues are a massive financial strain and it’s a very sensitive issue that doesn’t need to be translated to the entire office. Knowing that patients complained to the receptionist & they still thought to follow up with this email has me seriously concerned. I’ve had a relationship with this doctor for 5 years and it’s necessary for my survival to continue going to him because of a rare surgery so I don’t want to be in fear of being a patient because of employees that don’t take these things seriously & treat them with utmost care. Thank you again, info came just in time & hopefully I can keep others from being treated this way.

  34. Hello,
    I was sent an rude email from my job regarding a patients insurance that was inactive. The insurance was Medicare. If you’re familiar with Medicare you would be aware that it states the patients social security number on it. To be ” precise and smart” she then sent me a copay of the patients Medicare card. It wasn’t even an attachment. It was a copy printed on the email and I believe his dob was in this email as well and his full name. Is that not against hippaa ? From my understanding internet use is not secure.

    • You are correct that email sent over the internet without the use of a secure, encrypted email application, cannot be considered secure. While the identifiers you mention can be part of Protected Health Information, they may not be considered PHI without any other health information, like services rendered or the type of healthcare provider being visited. That said, many states also have laws against disclosing personal information that may facilitate identity theft. Sending such information via internet email applications that are not secure may expose the sender to penalties and lawsuits if the information was intercepted and disclosed. Information such as name, social security number and birth date certainly fits into that category.

      • Thank you and not to mention many emails are received through my employees cellphone. Everyone has their cell phone connected with their email which means that patients information went to about 4 different cellphones.

  35. Can a probation department in Texas send medical information electronically to a Intermediate Sanctions Facility without violating Hipaa law?

    • From what we see on the state of Texas website about Intermediate Sanctions Facilities, with tracks for substance abuse treatment, etc., the ISF’s would appear to be covered by HIPAA. It is an open question if a probation department qualifies as a covered entity, even if it is in possession of medical information that meets the definition of PHI.

      A probation department would seem to be an entity that is covered by the Texas Public Information act which may make such an email discoverable when a member of the public asks for them. There is also a Texas Privacy Law which may apply to any breach or unauthorized disclosure of “sensitive” information.

      While it may be permissible to email such information from the standpoint of HIPAA, it would be prudent to get an authorization from the person whose information it is to send it via email. This would go a long way to mitigating any claims of unauthorized disclosure, if the email were intercepted or otherwise made public unintentionally.

  36. I work for a government medical facility. Recently one of our supervisors sent out an email to educate staff on a certain procedure of calling the MD when a patient has been admitted to an off site facility. The email was not encrypted, contained the patients name, identifying government patient number, housing, procedure done and date of procedure. Would this be considered a HIPPA violation?

    • It depends in part on the nature of the email system in use. If the email is sent within a closed network, for instance within a hospital using a hospital email server, then it can be argued that the PHI in the email was not exposed to potential disclosure. When email is sent over the internet with no encryption of PHI, that can be considered an instance of not protecting PHI in accordance with the Privacy Rule.

  37. our company uses outlook with office365, when sending shift reports ,is it Compliant to give first name and medication name and dose. The email is going out to an all staff group on the email.

    • You don’t specify the type of service your company provides, or the email application you are using. If everyone receiving these emails is using a yahoo email address, then you have to consider the email as going through public servers. Google maintains that emails sent from one gmail account to another are going through encrypted channels, so are safer than other email applications that are not using actual encryption of the contents. So this works as long as everyone sending and receiving these emails is using a gmail account.

      You also need to consider the approach you describe to using minimal identification when distributing the information. What happens when there are two patients with the same first name? It is always better to use a unique identifier, especially with something as sensitive as medication. For instance, you could use a unique medical record or account number with first and last initials, instead of a name, especially if these messages only pertain to a limited number of people and typically confirm the medication order is still the same.

Leave a Reply

Excellence since 1989

The Fox Group was founded in 1989 and has provided outstanding healthcare consulting and executive management services to domestic and international clients throughout the United States and Europe.

Languages

EnglishChinese (Simplified)GermanFrenchSpanishDutch

Twitter