Consultants To The Healthcare Industry
Call Us: (909) 931-7600

HIPAA and Email: there are rules

Jim Hook, MPH

HIPAA and EmailPart one of a two part series on HIPAA and email.

Email has been widely used by both business and the general public for much of the last twenty years, and reliance on it has found its way into the daily lives of millions.  Recently, email has become even more accessible with the introduction of the smartphone.  However, leave it to healthcare to throw a curve ball to this cozy relationship.  The fact is, HIPAA and email have long been at odds.

 

HIPAA Privacy and Security rules are concerned with email, and the web in general

Across the board, healthcare providers are increasingly

  • using, or
  • are considering using, or
  • are being asked to use,

email to communicate with patients about their medical conditions.  If you find yourself described here, then  it bears repeating that the Internet, and things like email sent over the Internet, is not secure.  Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed.  And it’s that “possibility” that becomes the area of focus.

 

HIPAA and email can coexist … it’s a matter of understanding the rules

So what do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email?

Under many of the HIPPA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc.  But what is considered reasonable?  The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPPA FAQs page.  Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

What if a patient initiates communications with a provider using email?  The OCR says:

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”

Must providers acquiesce to use of email for communications with patients?

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

The OCR also interprets the HIPAA Security Rule to apply to email communications.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

 The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

 

To summarize the rules that apply to HIPAA and email …

  • Email communications are permitted, but you must take precautions;
  • It is a good idea to warn patients about the risks of using email that includes patient health information (PHI);
  • Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want shared; and
  • Providers must take steps to protect the integrity of information and protect information shared over open networks.

 

HIPAA and email continued …

So how should healthcare providers ensure they’re using HIPAA compliant emailI’ll cover that in Part II of this series.  Stay tuned.

 

45 Comments to “HIPAA and Email: there are rules”

  1. So…In light of all this, I have a question regarding HIPPA compliant email protocol for a clinical counseling practice. In communications with our phone answering service, they will often email us to let us know our clients have scheduled appointments using abbreviated names. For example, for “Bobby Howard” they might say, “Bobby Ho called today and scheduled an appointment for DD/YY at XX pm.” It’s terribly confusing to me, especially given that we might have a client actually named “Bobby Ho”! So, can client full first and last names be used? If not, I think a preferable alternative would be first initial, last name. “B. Howard”. Is there a rule here?

    Thanks – great article!

    Ryan

    • Ryan, the rules are the same old rules, whether email communications are directly between providers and patients or between providers and a vendor like an answering service: don’t put PHI into an unsecured email. An email to a provider of any kind with a patient’s name and the fact that they have an appointment could be considered a breach, even if the likelihood of the email being intercepted by someone who shouldn’t have it and the patient being identified, is vanishingly small. Using an abbreviated name of any kind has it’s own problems. What if you have more than one patient with the same first initial and last name? And adding another identifier like a birth date only makes it worse.

      There are several possible solutions as we outlined in the blog, like getting a patient’s consent to allow emails about appointments or using a HIPAA compliant email system. The answering service could simply draft emails but not send them, and instead, fax over copies of the unsent emails in the morning. Of course they would have to delete the drafts religiously so nothing is sent inadvertently. They could also just keep a typed list that they fax over.

      If there was ever a complaint alleging a breach of privacy, both the answering service and your organization could be in trouble: the answering service for committing the breach, and your organization for not enforcing the provisions of the Business Associate Agreement you should have in place with them.

      There has not been a major breach case involving email as yet, but there is almost certain to be one once a patient complains to the Office of Civil Rights that privacy was breached because emails with PHI were made public. Don’t be the test case for that occurrence!

  2. do you have any suggestions of some HIPAA compliant email services?

    • Naomi, we don’t recommend specific products. If you do a search for HIPAA Compliant Email, you will see products by several vendors. I recommend reviewing two or three to find one that meets your needs.

  3. I have an ex-spouse who is trying to have emails I send to my son’s therapist forwarded to him. These emails are very private and include information about how his day/week went and my own personal concerns about situations.
    It’s obvious this is an issue of control and I’m aware of HIPPA. When it comes to my emails to the therapist, does my ex-husband have access to them or do they remain private?

    • Marie, the rules on disclosure of PHI (personal health information) that apply to Covered Entities, like a therapist, are pretty clear: PHI cannot be disclosed to outside parties without the consent of the patient, or a person authorized to give consent for the patient. There are several exceptions, of course, like disclosures for healthcare operations such as billing and making referrals to other providers. From your description, it is not clear if your emails become part of the patient’s medical records, which would make them PHI. Any Covered Entity using email to communicate with patients should get written consent for using email, and, if possible, use an email application that is encrypted.

      Your situation also points up one of the disadvantages of using email to conduct discussions about private health information. It is very convenient, but you can never be sure it will not be compromised, just because of the nature of the internet, or because of the ease of sharing, whether authorized or not. In the end, it sounds like you need to discuss the issue with the therapist.

  4. Can a pediatric practice email or fax vaccine records to parent of patient without written consent?

    • Laura, faxing is considered a secure method of sending records containing PHI (which would include vaccine records), but you should have the parent’s approval to fax them. You can record a note in the medical record that the parent requested the records be faxed, and that’s what you did, or you can ask the parents to complete a regular release of records form that includes faxing as the method of delivery.

      Sending these records by email (by which we mean regular, unsecured email) is more problematic. If you do not have a secure email application to use to send them, then you definitely should have consent in writing to use email to send the information. As part of that consent, you should warn the parents that email is not considered a secure method of transmission, and the records are subject to being found and accessed by someone else. The idea is to make it an informed consent.

  5. I just received an email from my ob/gyn about a health fair they are having. I can see the names of all recipients of the email. Is this a violation?

  6. I recently received email correspondence from a government body with a different person’s name and address. Is this still considered a violation of hippa?

    • You don’t specify if the content of the email contained personal health information about another person. If it does, it could be a HIPAA violation. If it does not contain PHI, it would not be covered by HIPAA.

  7. Is it PHI under HIPAA if a patient’s name is included in an email regarding a) a check that was received by a practice or b) a bounced check paid to the practice by a patient?

    • Barbara, this is something of a grey area. You don’t specify the exact email exchange, but if you sent an email to a patient regarding a bounced check, with no information about the services received, dates, etc., then it may not be considered a breach of privacy. To be safe (or at least safer), it is always best to obtain the patient’s consent before there is any correspondence via unsecured email. Or, make use of a HIPAA-compliant email application, of which there are several to choose from.

      If your patient complained to the Office of Civil Rights that his/her privacy was violated because of the use of email to correspond, even about payment, you are at the mercy of the OCR attorney assigned to investigate the complaint. They are going to assume a covered entity like a medical practice knew the rules and the guidance they have issued, even if patients didn’t object at the time.

  8. My employer plans to replace a patient portal product in the future. The patient portal allows the patient to send secure messages to their care provider as well as view lab results, renew prescriptions and schedule appointments. With the current patient portal, the patient’s email address is collected and stored as demographic data.

    When it comes time to bring the new patient portal on line, methods to inform current patient portal users are in discussion. One of the options suggested is to send a “blast email” to the patients who are actively using the current patient portal. Notifying by email those patients who gave their email address seems like a quick and efficient method to get the word out that the patient portal vendor is changing.

    The patient’s name would not be included in the email, but the patient’s email will be used. No other patients will see another patient’s email address and no other PHI except for the patient’s email address will be used.
    Under HIPAA guidelines, would this approach be acceptable?

    • The answer depends on the terms and conditions that apply to patients who sign up to use the portal. Are there specific provisions that advise patients their email address is collected and may be used to contact them in the future? If not, when the Office of Civil Rights comes to investigate a complaint from someone, they may decide you did not employ reasonable safeguards when using email to communicate.

      The general advice from the FAQs page of the OCR regarding use of email (http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html) advises providers to employ reasonable safeguards when using email for communications, and even sending a test email prior to sending an email with actual information to confirm you have the right email address. One of the issues that comes up with test emails or with the blast email notification regarding the portal, is that you have no idea who may be reading the email at the patient end, including family members who are sharing the email address and who didn’t know the patient was going to the provider! We always recommend documenting consent from the patient on the use of email during a visit, so there is no question about it’s use.

      What about posting the change on the current portal and even redirecting patients to the new portal location when they attempt to login after the change. That way patients get notified and redirected at exactly the time they are seeking to connect. And it leaves aside any questions about the use of email for this purpose.

  9. My employer is requiring me to Email my Healthy-You results to some third-party person. Joanna (somebody ) at some Email.com. I have no idea who this person is, and under duress of being charged $900 to pickup additional insurance costs, I am having to consider doing this. Not only do I have to submit this information my children covered under the plan also have to submit it. I have no idea what they are going to do with the information. This information will contain my name, and test results. I also have to access their website and fill out a questionaire about my ‘lifestyle’.
    Is this legal?

    • Charles, your question raises several other questions. First, we at The Fox Group do not consider ourselves arbiters of legal or illegal practices. That said, we would advise anyone who is asking for information containing PHI (which your test results probably are) to make sure they have a way for people to send them this information via a secure email system, or input it into a website with a secure portal. It is not a violation of the HIPAA Privacy Rules for an individual to use an unencrypted or non-secure method to send their personal information electronically. Interception of emails and attachment by third parties may be extremely unlikely, but it is not impossible. You may want to talk to your employer about your discomfort with sending material over an unsecured email channel, but your employer (assuming he or she is not a healthcare provider) is not covered by HIPAA regulations.

      As far as entering information in a website, if the url is “https”, then it is a secure channel and there is no HIPAA privacy or security issue.

  10. I am finding that, even after attending a HIPAA webinar, the e-mail rules are not the clearest. My specific question is, would it be okay to send e-mails using Microsoft Outlook/Outlook Web App, within our organization, including the first initial, last name, and DOS? For example, “Can you please fax the report from J. Doe’s 01/01/0001 visit to the insurance?” If not, what amount of information would be acceptable to send from one individual to another, within our organization, only?

    Thanks!

    • The thing about sending emails within your organization is that, unless they are going out within a closed network, they may still be traveling over the internet and be subject to interception. An email from an organization with an address that allows the unintended recipient to determine it is from a medical provider (and in your case, a specific type of provider), the name of the patient and the date of service, discloses that the patient had a medical service at that organization on a specific date. This may be minimal exposure of PHI, but it may be enough for the investigative authorities to decide it is a breach. Options you could use would include using the account number instead of a name, or even using encryption/decryption software to encrypt a document with the information you are trying to transmit. There are free programs available that could be used, and you can standardize the password so you do not have to worry about that aspect. The former is very simple; the latter more complicated but lends itself to more information being trasmitted.

  11. We are testing our care portal. So to remind patients to access their portal for an upcoming appointment can we send an email from Microsoft office 365 (hipaa compliant) to the patient with a notice to check our care portal for “a secure announcement”. Also put the disclaimer and warning at the bottom that the should share only minimal ephi and are encouraged to use the portal to send secure messages back to our office rather than replying to our careportal email back. what do you think

    • An email message to a patient encouraging them to visit your patient portal is probably innocuous enough to go out as a non-encrypted email. We strongly recommend you have documentation of consent to send any email to patients before sending even an email like the one you describe. You just never know who is reading the email at the other end, and sometimes even family members are visiting healthcare providers without telling each other. We would also recommend your disclaimer reminds patients that email is not a secure method of communicating with you, and that they should not include any personal health information in an email. Only communications sent through the portal are secure. There is some suggested language in the second part of the series on this topic at http://www.foxgrp.com/blog/hipaa-compliant-email/.

      I am not sure why you describe Microsoft Office 365 as “HIPAA Compliant”. You may have secure channel to your applications in the cloud, but that does not mean if you send an email from a cloud application that it is arriving at the destination via a secure channel.

  12. Is it a violation if you email a co-worker a patient refund request? It would include patient name and address and the dollar amount?

    • Kathy, you don’t specify if the email you are using is an intra-network (contained in the business), or if it uses any external connectivity, servers, etc. It can be problematic to put too much information in an email that uses external connectivity, even when the information you are sending is limited. A name, address and a link to a specific practice, especially if it identifies the type of specialty, could be a violation if it were ever intercepted. You might consider using a patient’s account number to identify the patient, if that permits the person at the other end to identify the patient properly for the purpose of a refund.

      • Thank you,it is external connectivity. If you email a patient name and or with an address but no clinic to identified the specialty, is that too considered a violation?
        On a different subject, what if a billing resource gave credential information via email? for example: a clients provider number, NPI, SSN and provider website access? Would that be a HIPAA violation?

  13. We are in the process of updating our policy regarding mailing medical records to authorized parties, i.e., insurance, auditors, etc. I’m having difficulty finding information on emailing an entire record (encrypted). Am not necessarily seeing anything prohibiting the use of encrypted email to send patient records. But I’m not really seeing anything addressing the complete record either. Thank you very much

    • Elizabeth, there is no distinction between the rules for emailing PHI that represents a minimum amount of information vs. an entire patient medical record. If the text of the email has enough information to identify the patient and where he or she was treated. the email should be encrypted. If there is an attachment with PHI, we would recommend encrypting the attachment separately so in case the email wound up in an unprotected state, the attachment still could not be viewed without a separate password.

  14. In my pediatric practice we use a secure patient portal and we just started using constant contact to send newsletter type regular emails to our patients that contain no PHI. My Partner just received a “Happy Birthday” email from his car dealership on his Birthday. He would like to send “Happy Birthday” emails via Constant Contact to all our patients as their birthdays come up as a nice gesture and a subtle reminder to make an appointment for their yearly visit if they have not made one already. If these insecure emails go out with a first name and no other information (except an implied DOB from the date the email was sent) is it a HIPAA violation? The ePHI is first name, likely last name in the email and DOB. Also assume we have not asked for permission from the family to send this email. In summary, if the email gets into the wrong hands, is knowing someone’s DOB, name, and the fact that they are patients of our practice enough to make it a violation?

    • Andy, the short answer is yes, you may be found to be violating a patient’s privacy by sending an email, even one with minimal information, if you are sending emails to patients without the consent of a parent or someone who can give consent. In some states, even an email address is considered personal identifying information that should not be used without consent. Would the emails go to the patient’s email account? Is the patient a minor? Given the sensitivity of electronic communications with children, it is even more important to have documented consent.

      The HIPAA Omnibus Final Rule of 2013 also contained some important clarifications and extensions on the use of PHI for marketing purposes. See our blog on the topic at http://www.foxgrp.com/blog/sale-of-phi/. While a healthcare provider sending its patients a reminder about a recommended service may be permitted without specific patient consent to use PHI for marketing, a third party Business Associate sending such a reminder (presumably being compensated for the service) definitely seems to fit into a category where patient consent to use PHI for marketing purposes is required. If reminder messages are part of the activities you plan on using a service like Constant Contact for, getting consent from parents to send such notices or other marketing materials should also obtained.

      Electronic communications can definitely improve patient satisfaction and communication of important issues, but must be done with utmost caution, especially when minor children are involved.

  15. I just requested a billing company send me a fill statement of services, not kist the total bill. I asked that it be emailed. She refused citing HIPAA. I said I would send am email authorizing this email and releasing them. I was told this is not allowed under HIPAA. This seems foolish. My bill, my services, my consent. What’s the problem? True or another “we can’t do anything because of HIPAA” excuse?

    Thanks!

    • A written authorization from you allowing the billing company to send you a full statement of services, that may contain PHI, via email, should be enough for the company to send you the information you have requested. You might try contacting the healthcare organization that the billing company is working for to see if they can help convince the billing company to send you the information, or have the billing company send them the statement and they can forward it to you.

  16. Thank you very much for offering your opinion. I appreciate it!

  17. If a person accidentally emails a spreadsheet to a non-corporate mailing list containing information of a community clinic program (like a Yoga class) associated to a hospital department with names, addresses, phone numbers, age, a diagnosis (not codes – just words – spinal, cva right side), and payment status (no other financial info)? The names could be former patients or community members involved in the program. Their is no identifier stating they were or were not a patient of the hospital, just that they did or did not pay for participation in the clinic program. We consider them clients of the program, but are not patients in the hospital when they opt to participate in the program/class.

    • It sounds like you have a breach on your hands. As soon as you have diagnosis information, whether verbal description or ICD9 codes, plus other identifiers, like names, etc., you have PHI, and per your email, it has been potentially disclosed to persons who do not need it and should not have it. You should contact your organization’s Compliance Officer and let them know what has happened. Also, you should figure out who all received the spreadsheet and prepare to ask them to return it or delete it ASAP. Good luck!

  18. Hi. I am trying to firm up our email policy for the interim period before we are able to invest in an encrypted email system that will be internal to a new portal system for our organization. We need to be able to email a prescription medication name and some type of identifier for the patient in order to clarify a prescription order for that patient. We only communicate by email with providers – not patients.

    In your response to Crystal D in #10 above, you suggest using an account number instead of a patient name to communicate with patients in an unencrypted email setup. I would like for our policy (again, in the interim) to say that our organization will not use patient names OR initials together with information about their medications, but will only use the 16 digit random number generated and assigned by our portal. Using this number that could only connect to PHI by hacking or legitimately accessing our online portal would seem to eliminate the ability to associate PHI in a hacked email system with actual patient initials, which could theoretically be guessed.

    Given that, I am still confused as to how it would be okay to email a medical record number through an unencrypted system, if “Medical Record Numbers” is one of the identifiers listed in HIPAA for identifying PHI. Is that correct? While this may still be PHI, in my mind for the interim period, this is preferable to initials, as there is less chance that the email AND the HIPAA-compliant portal system could be compromised for a true breach.

    Any thoughts would be appreciated. Thanks!

    • As you noted, in my reply to Crystal D., I mentioned using account numbers. The context was Crystal asking about emails being sent to other persons in her organization, who presumably have access to the account number in the email, and can then respond to the request intelligently. The communication was not with patients, at least as she described it.

      You are describing a situation where you want to communicate with other providers about clarifying prescriptions. I assume the other provider would be a pharmacy. You also mention you have or are about to have a portal for the organization.

      Most portal systems operate using https, or secure channels, when information goes over the internet via a portal. That usually addresses the issue of security of the info. Use of any number, even one generated by the portal application, has to be accessible to both parties for messages to be understood and acted upon properly.

      The best I can recommend is, if communication via email (plain vanilla email, going out via your computer or server) is required in the interim prior to the availability of a secure portal, you could add an identifier to the original prescription form, that could be referenced by the pharmacy when you have to send these clarifications. The identifier could certainly be a random number generated by your portal, as long as the pharmacy can relate the number to the patient in question. Of course, faxing a clarification is also a secure way to communicate with a pharmacy.

      I hope this helps!

  19. what is the info is a pdf with just a first name and room number and details about status of patient?

    • Gloria, you do not specify who is sending and receiving this information. A form being emailed with the information you describe, but where it is possible to infer the location (a hospital?) and then locate the hospital and identify the person, is a situation waiting for exploitation. It would be better to use a number of some kind that is difficult to readily associate with a patient, rather a first name and room number. You have to think: how easy would it be for me to identify a person if I knew what hospital they are in, the first name and the room number? Not very hard, I think.

  20. Hello, My wife is participating in a clinical study. The lead investigator sent an email communication to the study participants and my wife’s and the other e-mail addresses are all visible to the other recipients and other investigators and physicians. At least my wife’s, and it appears that many of the other e-mail addresses contain first initial and last name information. Your thoughts would be appreciated. Thank you.

    Here is the text of the e-mail with my redactions:

    “Dear participants:

    I am writing to stress your obligation to be at XXXXXX Care Center on the scheduled time and date (something you had agreed to do when signing the Consent Form). Cancelling at the last minute is a waste of time for the clinicians that were there and a waste of taxpayers’ money who fund this research. It is unacceptable behavior where there is no serious medical reason, and I have the authority to remove from study anyone who does not respect their appointment. I hope I do not have to do that.

    To help you, we have simplified the scheduling communication for coming weeks. XXXXXX XXXX Medicine Center has agreed that from now on scheduling for the virtual reality system will be done by our staff at XXXXXX, where therapy takes place. You will receive a call from Mr. XXXXXX XXXXX who is the computer engineer working with the experimental equipment in your room at XXXXX. His cell number is XXXXXXX. His email is XXXXX@gmail.com. Please email or text him your name and cell number as well.”

    • Ken, this type of communication is certainly borderline, for two reasons: Email addresses in some states are considered confidential information, so sending an email in such a way that all other email addresses are also disclosed, and coupled with name of the facility where the clinical trial services are offered, certainly is questionable from a privacy standpoint. Its borderline because apparently the clinical condition being studied is not mentioned directly.

      The organization administering the Clinical Trial could certainly ameliorate this concern by having all participants consent to receiving information, even protected health information, via email or text. And anyone sending mass emails can do it in such a way so as to avoid disclosing the email addresses of all the other participants.

      Let us hope the clinical study produces results for your wife and others that far exceed the borderline privacy concerns participants may have, and come about in spite of the level of customer service skill the lead investigator displayed in his message. Good luck.

  21. I am not sure if you can answer this, but my question is, now there are smartphones, I had a patient send in a picture of their Rx for medical equipment. Do you think this is acceptable ?

    At first, I thought absolutely not, but then I thought how Rx are faxed every day, is there a difference ?

    What are your thoughts or do you know where I can get an answer?
    Thank you.
    Pam

    • Texting is no more secure than regular (unecrypted) email. Faxing, up until recently, was considered secure because faxes were sent from point to point over telephone lines, not through the internet. With the advent of VOIP, including for use in faxing, even that may have to be reconsidered since it is a form of internet transmission. In any case, unless the sender is using an encryption application to send text messages, of which there are several now, you should avoid encouraging patients to text (or email) PHI to you.

  22. An email sent through the encrypted email network of the hospital from one student to another containing patient last name and room number?

    • Assuming the premise of a secure email network is correct, sending PHI through such a network should be in compliance with HIPAA.

  23. We use gmail for our inter-office communication. We have a password protected firewall associated with our office computer system. Can we supply patient first name, last name and DOS if we are trying to convey a message between each other. Some of our therapists do not have access to our system with the account numbers of our patients.

    • Although Google claims that emails sent within it’s server network go via TSL security protocol, which means they are encrypted, that is only true if the emails stay within the Google domain. Therapists who send you emails with PHI that are not routed exclusively in the Google domain would not be protecting PHI as required under HIPAA. Google also offers an encryption solution that may help (Postini) and is compiling statistics on how many people are using encryption when sending emails. https://www.google.com/transparencyreport/saferemail/

Leave a Reply

Excellence since 1989

The Fox Group was founded in 1989 and has provided outstanding healthcare consulting and executive management services to domestic and international clients throughout the United States and Europe.

Languages

EnglishChinese (Simplified)GermanFrenchSpanishDutch

Twitter