Is there a HIPAA email policy? If so what does it require?
Email is such a major part of our way to communicate – both personally and professionally. For those of us who work in the healthcare industry, it’s important to know what HIPAA email policy is when dealing with patient information. Not just in regard to patient privacy and patient information, but also the security of email communication.
You’ve probably heard horror stories of sensitive information being compromised via email. The thing about email is once you send it you have no control over what’s done with it or where it goes from then on. We all have had those experiences where we sent an email to someone that got forwarded or replied to someone you didn’t want it to go to. And you just cringe when you see it. Ugggg! You’ve been outed! Revealed for what your true intentions are.
The HIPAA Privacy Rule requires the protection of individually identifiable health Protected Health Information (PHI) when stored or transmitted by a covered entity. PHI is the information obtained from a patient that can be used to identify them. This would include name, address, Social Security #, phone #, insurance ID’s, beneficiaries, etc. It would also include diagnosis, treatments, and medications.
So who would this apply to? Basically anyone who has a need to access a patient’s information.
- Any organization that processes healthcare information such as a clearinghouse.
- Health insurance payers. This would include those providing medical, prescription, dental, or mental health coverage. This also includes government payers Medicare and Medicaid.
- Health care providers – Physicians, hospitals, outpatient facilities, nursing homes, etc.
HIPAA email policy requirements that apply to electronic communication are given in the Technical Safeguards portion of the Security Rule.
Let’s look at what HIPAA regulations say about using email. HIPAA uses the word “reasonable” a lot in describing the measures that must be taken to protect the privacy and security of PHI.
So that raises the obvious questions – what does HIPAA consider as reasonable?
The U. S. Department of Health and Human Services (HHS) is the governing authority for HIPAA. In HHS enforcement of HIPAA is handled by the Office of Civil Rights. Their take on email is discussed on the HHS website and restated here for convenience:
“Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?”
“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”
So the Security Rule allows PHI to be sent electronically. However there must be procedures in place to control access to this information. They must also protect the integrity of the information – meaning it cannot be altered.
The last two sentences are interesting. They do not say specifically how e-PHI must be protected. What they do say is that the covered entity must assess their systems, identify “available and appropriate means”, select a protection method, and document it.
So does this rule say specifically that email encryption is required? No but due to the nature of email, encryption is one of the most effective ways to meet the “available and appropriate means” requirement.
An email correspondence does not only exist on the local device (PC, tablet, workstation, etc.). It also exists in the mail servers on both ends and on the recipients local device. You have to ask the question – what would insure this electronic communication is secure other than encryption?
So what does HIPAA email policy say about communication between a provider (doctor) and their patient? Again from the HHS website, this specific scenario is addressed:
“Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?”
“Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.
Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.
Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”
So HIPAA email policy says communication with the patient is permitted, the patient must be made aware that the email communication is unencrypted. If that is not acceptable to the patient, the provider must communication the information using an alternate secure method.
So even if the patient initiates email communication with a provider, even though the HIPAA Privacy Rule may not explicitly say so, the provider should inform them of the risk of unencrypted email use, and let them decide if this is acceptable. However this could be a risky situation for a provider who may be best served by not even communicating via email with patients, or only communicating via encrypted means
HIPAA Email Policy Key Points to Consider
So what do we take away from HIPAA email policy requirements with regard to email?
- Don’t put PHI in an unsecured (unencrypted) email to other providers, employees, insurance payers, vendors, etc.
- Don’t send email communications to patients via unsecured email (Gmail, Yahoo Mail, etc.) without their written consent.
- Make patients aware of the risks involved with sending PHI by email – even if the patient initiates the communications via email. Consider incorporating this in existing patient consent forms.
- Take precautions to protect information shared over any open networks. Encryption is probably the most reasonable and economical solution.
- Don’t enter patient emails in practice management or Electronic Health Records (EHR) software unless they have given consent. Those with access to these systems may assume patient consent if an email address is present.
- Document a patient’s consent to send and receive PHI communications by email.
- Make sure any employees, vendors, and business associates are aware and informed of the HIPAA rules (mentioned above) that apply to email communications.
- If you are considering an EHR software, look for secure patient portal functions. This allows secure communications with the patient via the EHR and a secure browser.
- Use a HIPAA compliant email service (encryption & secure servers). There are many available for reasonable cost. Some offer add-on’s (like Outlook) that can be used with existing email applications.
- When in doubt, err on the side of caution. Ask yourself – “What’s the worst that can happen if this information is compromised?” The cost of preventive measures is small compared to the penalties, which can be up to $250,000.
There are several services that offer HIPAA email policy compliant services that include encryption and secure interfaces. We’re not endorsing any of these services – just offering links so you can check them out yourself – some of these offer add-on’s to allow secure communication with existing Microsoft Outlook.
While these services are not free, they are very reasonable and much cheaper than dealing with a violation:
HIPAA Email Policy