How to Stay HIPAA Compliant When Emailing Patients
In the age of electronic communication, there is the ever-present concern of compromised data. Naturally, the information between patients and their healthcare providers is quite sensitive. Neither party wants that data available to the public. Consequently, doctors must know how to stay HIPAA compliant, especially when emailing patients.
The Basics of HIPAA Compliance for Providers
In response to growing concerns of data interception, Congress and the President enacted HIPAA in 1996. HIPAA stands for the Health Insurance Portability and Accountability Act. One of the purposes of this legislation is to protect a patient’s privacy.
Follow the tips below to guide your practice in emailing patients while remaining HIPAA compliant.
Email is not secure
In general, email communication is not secure for two reasons:
- Email data isn’t encrypted by default.
- It’s impossible to tell if the receiver is the intended recipient.
Encryption is modifying data to make it unreadable outside the two parties sharing it. The reorganization requires a cipher (or code) that both sender and recipient know. Anyone without the cipher will only see gibberish.
By default, most email clients do not encrypt your communications. Unencrypted communication includes popular web-based email clients like Outlook, Gmail, and Yahoo. However, some of these services offer paid features that comply with HIPAA regulations.
One major drawback to email communication is there’s no foolproof way to ensure that the intended recipient is the one reading the email. Perhaps the patient checked his mail in a public place with wandering eyes or left his phone somewhere by mistake.
Nevertheless, modern patients expect instant communication, so you can’t avoid emailing. For many patients and practices, email is becoming the preferred method of communication.
Keep reading to learn how to stay HIPAA compliant with your office’s electronic communications.
Encrypt all electronic data
Any piece of electronic data is required to be encrypted, including physical documents scanned to a computer. It’s simple to have a scanned document/image sent to a storage location via encrypted email. Speak with your IT professional to set this up.
You must safeguard protected health information (PHI) at rest and in transit. Consequently, PHI must be secured during transmission across networks or the Internet and when it’s stored in drives at workstations and servers.
The person initiating the transmission is the liable party. HIPAA regulations do not hold patients responsible when replying to emails from your office. Only the provider is responsible for email security.
While HIPAA does not require that you encrypt every device and storage location, it would be foolish not to. Encryption is cheap, easy, and can protect you from embarrassing mistakes, fines, and litigation. Moreover, you risk your reputation and your patients’ trust if data becomes exposed.
Dedicated services to send HIPAA-compliant emails are available for an added expense but are not required. Some well-known email service providers allow you to configure your email to meet HIPAA requirements. For example, Microsoft Outlook offers an encryption option under Security Settings. If you then enable Internet Message Access Protocol (IMAP) and choose to delete emails from the server (and store them solely on your local disk), you can guarantee no chance of interception.
While encryption is essential in patient communication, you should know that HIPAA doesn’t require you to encrypt interagency emails. For instance, no encryption is necessary if you send an email to a colleague on the same secure server. However, the best practice is still to encrypt everything to be safe.
Patients who cannot accept encrypted communications can waive their right to receive emails from you privately. In this case, you can use any communication that works for you and the patient. Just make sure to have them sign a consent form and save it.
Get the patient’s consent
Consent is an integral part of privacy. You can ensure you have the correct contact information and protect yourself from lawsuits by getting permission in writing from your patient before you correspond through email.
On the form, explain to the patient the inherent risks of electronic communication. Offer advice on safeguarding their computer to ensure other people don’t access their emails. Also, let your attorney evaluate a consent form before sending it to your patients.
Use an online intake form with e-signature capabilities (like intakeQ’s HIPAA-compliant online forms) for the best results.
Once you have the consent form, be sure to keep it safe. If the patient ever blames you for a privacy breach, you can show that you have their permission.
When a patient initiates an email conversation, don’t assume they permit their information to be shared electronically (unless they have previously expressed otherwise). Still, it would help if you treated these emails securely like any other.
If a patient hasn’t agreed to communicate electronically, never contact them through email.
Include a privacy statement with each email
Every email you send should conclude with a privacy statement. The statement should notify the receiver that the email is inherently insecure, express that the content is strictly confidential, and tell patients who to report the email to if they are not the correct recipient.
The purpose of this statement is to remind the recipient every time that their correspondence isn’t 100% safe. If they choose to reply with confidential information, they do so at their own risk. Further, it encourages parties who shouldn’t read the email to report the miscommunication.
If your email needs are simple, add a privacy statement in the signature of your patient emails. If you work in a large practice, speak with your IT professional to ensure all emails include this statement.
That said, email disclaimers are not a substitute for adequately encrypted PHI emails. The purpose of the disclaimer is to inform. It does not absolve you of responsibility in any way.
Use an email provider that signs a Business Associate Agreement
A Business Associate Agreement is a HIPAA requirement for email providers. Countless services specialize in HIPAA-compliant communications for healthcare providers, and each has its features. These agreements are not standard for free email clients, but many paid versions offer this service.
If a provider does not sign this agreement, they are non-compliant according to HIPAA law. Do not assume an email service provider has signed an agreement unless it is advertised on their website.
Develop an office policy
Having a clearly defined policy for your staff and colleagues regarding protected health information (PHI) is essential. A casual discussion isn’t enough. Healthcare providers need to clarify procedures.
In your documentation, include which types of information may and may not be transmitted electronically. You may restrict certain types of PHI (such as mental health issues) to in-person meetings only.
Document who may and who may not send or receive confidential patient information. For instance, you would allow a doctor, nurse, or other healthcare provider to discuss health matters with a patient, but not a receptionist, administrative assistant, or billing department. Restricted parties should only contact patients regarding administrative issues and notify healthcare staff if a patient mentions medical information.
Wondering if your emails are HIPAA compliant?
Download our checklist to find out.
Still unsure?
There is an entire field of attorneys who specialize in HIPAA law. If you’re ever in doubt, speak with one.
The penalties for violating patient privacy are severe. They could cost you a lot of money and even your license.