Part one of a two part series on HIPAA and email.
Email has been widely used by both business and the general public for much of the last twenty years, and reliance on it has found its way into the daily lives of millions. Recently, email has become even more accessible with the introduction of the smartphone. However, leave it to healthcare to throw a curve ball to this cozy relationship. The fact is, HIPAA and email have long been at odds.
HIPAA Privacy and Security rules are concerned with email, and the web in general
Across the board, healthcare providers are increasingly
- using, or
- are considering using, or
- are being asked to use,
email to communicate with patients about their medical conditions. If you find yourself described here, then it bears repeating that the Internet, and things like email sent over the Internet, is not secure. Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed. And it’s that “possibility” that becomes the area of focus.
HIPAA and email can coexist … it’s a matter of understanding the rules
So what do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email?
Under many of the HIPPA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc. But what is considered reasonable? The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPPA FAQs page. Notably …
“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”
What if a patient initiates communications with a provider using email? The OCR says:
“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”
Must providers acquiesce to use of email for communications with patients?
Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.
The OCR also interprets the HIPAA Security Rule to apply to email communications.
“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.
The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”
To summarize the rules that apply to HIPAA and email …
- Email communications are permitted, but you must take precautions;
- It is a good idea to warn patients about the risks of using email that includes patient health information (PHI);
- Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want shared; and
- Providers must take steps to protect the integrity of information and protect information shared over open networks.
HIPAA and email continued …
So how should healthcare providers ensure they’re using HIPAA compliant email? I’ll cover that in Part II of this series. Stay tuned.
Google+
So…In light of all this, I have a question regarding HIPPA compliant email protocol for a clinical counseling practice. In communications with our phone answering service, they will often email us to let us know our clients have scheduled appointments using abbreviated names. For example, for “Bobby Howard” they might say, “Bobby Ho called today and scheduled an appointment for DD/YY at XX pm.” It’s terribly confusing to me, especially given that we might have a client actually named “Bobby Ho”! So, can client full first and last names be used? If not, I think a preferable alternative would be first initial, last name. “B. Howard”. Is there a rule here?
Thanks – great article!
Ryan
Ryan, the rules are the same old rules, whether email communications are directly between providers and patients or between providers and a vendor like an answering service: don’t put PHI into an unsecured email. An email to a provider of any kind with a patient’s name and the fact that they have an appointment could be considered a breach, even if the likelihood of the email being intercepted by someone who shouldn’t have it and the patient being identified, is vanishingly small. Using an abbreviated name of any kind has it’s own problems. What if you have more than one patient with the same first initial and last name? And adding another identifier like a birth date only makes it worse.
There are several possible solutions as we outlined in the blog, like getting a patient’s consent to allow emails about appointments or using a HIPAA compliant email system. The answering service could simply draft emails but not send them, and instead, fax over copies of the unsent emails in the morning. Of course they would have to delete the drafts religiously so nothing is sent inadvertently. They could also just keep a typed list that they fax over.
If there was ever a complaint alleging a breach of privacy, both the answering service and your organization could be in trouble: the answering service for committing the breach, and your organization for not enforcing the provisions of the Business Associate Agreement you should have in place with them.
There has not been a major breach case involving email as yet, but there is almost certain to be one once a patient complains to the Office of Civil Rights that privacy was breached because emails with PHI were made public. Don’t be the test case for that occurrence!
do you have any suggestions of some HIPAA compliant email services?
Naomi, we don’t recommend specific products. If you do a search for HIPAA Compliant Email, you will see products by several vendors. I recommend reviewing two or three to find one that meets your needs.
I have an ex-spouse who is trying to have emails I send to my son’s therapist forwarded to him. These emails are very private and include information about how his day/week went and my own personal concerns about situations.
It’s obvious this is an issue of control and I’m aware of HIPPA. When it comes to my emails to the therapist, does my ex-husband have access to them or do they remain private?
Marie, the rules on disclosure of PHI (personal health information) that apply to Covered Entities, like a therapist, are pretty clear: PHI cannot be disclosed to outside parties without the consent of the patient, or a person authorized to give consent for the patient. There are several exceptions, of course, like disclosures for healthcare operations such as billing and making referrals to other providers. From your description, it is not clear if your emails become part of the patient’s medical records, which would make them PHI. Any Covered Entity using email to communicate with patients should get written consent for using email, and, if possible, use an email application that is encrypted.
Your situation also points up one of the disadvantages of using email to conduct discussions about private health information. It is very convenient, but you can never be sure it will not be compromised, just because of the nature of the internet, or because of the ease of sharing, whether authorized or not. In the end, it sounds like you need to discuss the issue with the therapist.