October 21, 2014

I frequently am asked about the appropriateness of emailing with patients.  In lieu of paraphrasing, for today's newsletter I am providing a Q&A directly from the source, the Office for Civil Rights (direct from OCR FAQs, click here to view)-

Q3: Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

A3: Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient.

By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated. Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.

For more information about the HIPAA Privacy Rule, Health Information Technology requirements check out:http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit.
Another related frequent question relates to HIPAA compliant encryption options, for which I always have the same response:  I am not an IT specialist and therefore really cannot comment on vendors, but I do recommend ensuring you are sending encrypted emails.  Emailing without encryption is a whole lot like playing squash without goggles; sure you may not get hit in the eye, but if you do, sure could have avoided a pretty serious injury easily, and its the accepted practice.  With that in mind, I recommend each practitioner perform their own due diligence in making their determination as to what level of protection they feel comfortable with.  I would not recommend selecting a company that does not require a Business Associate Agreement signed.  Solely as a place to start your research, I have pulled a few companies that “claim” to be “HIPAA Compliant”.  Reference below is in no way intended to be an endorsement, just a starter point for your research…
Google Apps – https://support.google.com/a/answer/3407054?hl=en - “Administrators for Google Apps for Business, Education, Government, and Google Apps Unlimited domains can request a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive, and Google Apps Vault services.”

Citrix Sharefile - http://www.citrix.com/news/announcements/nov-2013/citrix-sharefile-helps-clients-tackle-tougher-hipaa-compliance-r.html - “...Citrix ShareFile Cloud for Healthcare, a dedicated virtual private cloud for protected health information.” 
Email Pros - https://www.emailpros.com/index.html  - “Our goal is to provide secure email not only for HIPAA compliance, but also as an ethical responsibility towards Protecting Patient Information.”
SafetySend - http://www.safetysend.com/aboutus.htm - “allows disparate systems and robust applications to integrate into a cost effective and easy to manage data platform for the healthcare, financial services, legal and corporate entities required to comply with HIPAA, HITECH, PCI-DSS and GLBA.” 

Sooksa - https://www.sookasa.com/how-it-works/ - claims to make DropBox HIPAA compliant
Similarly, I am aware certain societies and associations offer their own platforms you may want to look in to..  At the end of the day, the important thing when it comes to PHI protection is that you took steps to protect and attempt to mitigate if there is an unauthorized disclosure.  If you are not sure if you have/had an unauthorized exposure, or need help with internal policies and procedures contact Jennifer.  

I-STOP Implementation - Common Q&As

Looking for HIPAA and compliance forms?  
Click here to visit 
our website.

Have a question or comment for Jennifer?
Contact Jennifer at Jennifer@Kirschenbaumesq.com or  at (516) 747-6700 x. 302.