In the age of electronic communication, there is the ever-present concern of compromised data. Data can be intercepted and accessed by third parties with their own agendas.
Naturally, the information between patients and their healthcare providers is quite sensitive. Neither party wants that data available to the public.
In response to growing concerns of data interception, Congress passed HIPAA: the Health Insurance Portability and Accountability Act. One of the purposes of this legislation is to protect a patient’s privacy.
Email is not secure
In general, email communication is not secure for two reasons:
- The data isn’t encrypted by default.
- It’s impossible to tell if the receiver is the intended recipient.
Encryption is the process of modifying data to make it unreadable, but in a way so that it can be returned to its readable state. The reorganization requires a cipher (a code) that both sender and recipient know. Anyone without the cipher will only see gibberish.
By default, most email clients do not encrypt your communications. This includes the popular web-based email clients like Outlook, Gmail, and Yahoo. However, some of these services offer paid features that comply with HIPAA regulations.
Furthermore, there’s never a foolproof way to ensure that the intended recipient is actually the one reading the email. Perhaps the patient checked his mail in a public place with wandering eyes or left his phone somewhere by mistake.
Nevertheless, modern patients expect instant communication, so you can’t avoid emailing. For many patients and practices, email is becoming the preferred method of communication.
Here’s how to stay compliant with your electronic communications.
Any piece of electronic data is required to be encrypted, including physical documents scanned to a computer. It’s a simple process to have a scanned document/image sent to your storage location via encrypted email. Speak with your IT professional to set this up.
Protected health information (PHI) must be protected at rest and transit. This means it must be secured during transmission across networks or the Internet and when it’s stored in drives at workstations and servers.
The person conducting the transmission is the liable party. As a non covered entity or business associate, a replying patient isn’t bound by HIPAA regulations. You are only responsible for your emails’ security.
While HIPAA does not require that you encrypt every device and storage location, it would be silly not to. Encryption is cheap, easy, and can protect you from embarrassing mistakes and tedious litigation. Even if you technically followed the rules, you could still upset your patients if data were exposed.
It isn’t necessary to use a dedicated service to send HIPAA compliant emails. These services work, but with some added expense.
Some email clients allow for configurations that satisfy the law. For example, the desktop client Microsoft Outlook offers an encryption option under Security Settings. If you then enable Internet Message Access Protocol (IMAP) and choose to delete emails from the server (and store them solely on your local disk), you can guarantee no chance of interception.
While encryption is important, it’s worth mentioning that HIPAA doesn’t require you to encrypt interagency emails. If you send an email to a colleague on the same secure server, no encryption is necessary. However, best practice is to encrypt everything to be safe.
If a patient is unable to accept encrypted communications, they can waive their right to privately receive emails from you. In this case, you can use any means of communication that works for you and the patient. Just make sure to have them sign a consent form and save it.
Get the patient’s consent
Consent is an important part of privacy. You can ensure you have the right contact information and protect yourself from lawsuits by getting permission in writing from your patient before you correspond through email.
On the form, explain to the patient the inherent risks of electronic communication. Offer some advice on safeguarding their computer to ensure their emails aren’t accessed by other people.
I recommend having your attorney evaluate a consent form before you send it to your patients.
Once you have the consent form, be sure to keep it safe. If the patient ever blames you for a privacy breach, you’ll want to be able to show that you had their permission.
When a patient initiates an email conversation, it’s safe to assume they permit that type of communication (unless they have previously expressed otherwise). Still, you must treat secure these emails like any other.
If a patient hasn’t agreed to communicate electronically, never contact them through email.
Include a privacy statement with each email
Every email you send should conclude with a privacy statement. The statement should notify the receiver that the email is inherently insecure, express that the content is strictly confidential, and tell them who to report the email to if they are not the correct recipient.
The purpose of this statement is to remind the recipient every time that their correspondence isn’t 100% safe. If they choose to reply with confidential information, they are doing so at their own risk. Further, it encourages parties who shouldn’t read the email to report the miscommunication.
If your email needs are simple, this can be done by adding a signature to your emails through your client. If you work in a larger practice, speak with your IT professional to ensure that all emails include this statement.
That said, email disclaimers are not a substitute for properly encrypted PHI emails. The purpose of the disclaimer is simply to inform. It does not absolve you of responsibility in any way.
Use an email provider that signs a Business Associate Agreement
A Business Associate Agreement is a HIPAA requirement for email providers. There are countless services that specialize in HIPAA compliant communications for healthcare providers. Each come with their own features.These agreements do not come standard with free email clients, but many paid versions offer this service.
If a provider does not sign this agreement, they are noncompliant. Do not assume an email service provider has signed an agreement unless it is clearly advertised on their website.
Develop an office policy
It’s important to have a clearly defined policy for your staff or colleagues regarding protected health information (PHI). A casual discussion isn’t enough. You need procedures.
In your documentation, include which types of information may and may not be transmitted electronically. You may restrict certain types of PHI (mental health issues, for instance) to in-person meetings only.
Document who may and who may not send or receive confidential patient information. For instance, you would allow a doctor, nurse, or other healthcare provider to discuss health matters with a patient, but not the receptionist, administrative assistant, or billing department. These restricted parties should only contact patients regarding administrative issues and immediately notify healthcare staff if a patient mentions medical information.
There is an entire sector of attorneys who specialize in HIPAA law. If you’re ever in doubt, I recommend speaking with one. The penalties for violating patient privacy are severe. They could cost you a lot of money and even your license.