Part one of a two-part series on HIPAA and email.
Email has been widely used by both business and the general public for much of the last twenty years, and reliance on it has found its way into the daily lives of millions. It has become even more accessible and ingrained in our routines via our obsession with the smartphone. However, leave it to healthcare to throw a curve ball to this cozy relationship. The fact is, HIPAA and email have long been at odds.
HIPAA Privacy and Security rules are concerned with email and the web in general
Across the board, healthcare providers are increasingly
- using, or
- are considering using, or
- are being asked to use,
email to communicate with patients about their medical conditions. If you find yourself described here, then it bears repeating that the Internet, and things like an email sent over the Internet, is not secure. Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed. And it’s that “possibility” that becomes the area of focus.
HIPAA and email can coexist … it’s a matter of understanding the rules
So what do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email?
Under many of the HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc. But what is considered reasonable? The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPAA FAQs page. Notably …
“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”
What if a patient initiates communications with a provider using email? The OCR says:
“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”
Must providers acquiesce to use of email for communications with patients?
Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.
The OCR also interprets the HIPAA Security Rule to apply to email communications.
“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.
The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”
To summarize the rules that apply to HIPAA and email …
- Email communications are permitted, but you must take precautions;
- It is a good idea to warn patients about the risks of using email that includes patient health information (PHI);
- Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want to be shared; and
- Providers must take steps to protect the integrity of information and protect information shared over open networks.
HIPAA and email continued …
So how should healthcare providers ensure they’re using HIPAA compliant email? I’ll cover that in Part II of this series. Stay tuned.