by Evan M. Gwilliam DC MBA BS CPC CCPC QCC CPC-I MCS-P CPMA CMHP
October 24th, 2014
Straight from the Office of Civil Rights:
Q: Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?
A: Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.
Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient.
By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated. Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.
For more information about the HIPAA Privacy Rule, Health Information Technology requirements click here.
In other words, you don’t have to use encrypted emails, but that does not mean that you shouldn’t. As one attorney puts it, “Emailing without encryption is a whole lot like playing squash without goggles; sure you may not get hit in the eye, but you could have avoided a pretty serious injury easily.” Providers should perform due diligence as they determine what level of protection they feel comfortable with. Do not work with an email encryption service that does not require a Business Associate Agreement. Here are a few companies that claim to be “HIPAA Compliant”. References below are in no way intended to be an endorsement, just a starting point for your research.
Google Apps - “Administrators for Google Apps for Business, Education, Government, and Google Apps Unlimited domains can request a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive, and Google Apps Vault services.”
Citrix Sharefile - “...Citrix ShareFile Cloud for Healthcare, a dedicated virtual private cloud for protected health information.”
Email Pros - “Our goal is to provide secure email not only for HIPAA compliance, but also as an ethical responsibility towards Protecting Patient Information.”
SafetySend - “allows disparate systems and robust applications to integrate into a cost effective and easy to manage data platform for the healthcare, financial services, legal and corporate entities required to comply with HIPAA, HITECH, PCI-DSS and GLBA.”
Sooksa - claims to make DropBox HIPAA compliant
In addition, some societies and associations offer their own platforms you may want to consider. At the end of the day, the important thing when it comes to PHI protection is that you take steps to protect and attempt to mitigate any unauthorized disclosure.