Can you remember the old days when all we had were telephone (on a hard line no less) and paper and stamp mail? Communication these days is so much easier and faster, and the healthcare industry has of course taken full advantage of this. But “regular” email and your clinic can be a troublesome mix, one that can certainly get you into trouble and expensive fines, as it already has for many clinics. Do your staffers ever send emails like –
- Payment claims submitted to insurance providers for procedures and treatments
- Patient referrals to specialists or other third-party providers
- Patient appointment scheduling
- Answers to patients’ questions via email
Such messages containing patient names and information – Electronic Personal Health Information (ePHI) – sent out of your office and therefore fall under the tight jurisdiction and requirements of HIPAA’s Omnibus Rule. You can’t just send out emails like this using a Yahoo account!
What Does HIPAA Say
HIPAA security rules do not expressly prohibit the use of email for sending electronic PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to ePHI sent and received over email communications. In general HIPAA requires three things when it comes to email:
- Strong security – According to Section 164.314(a) it is the responsibility of the health care provider to ensure that everyone involved in handling such confidential and personally-identifying information complies with the safeguards. There also must be access control to the PCs themselves and servers that contain such emails on your premises, as well as protection during transit.
- Consent – Are you using email in communication with patients? The HIPAA Omnibus Final Rule (3/18/2013) states that clients are allowed to authorize communications via email, but to do so the client must be informed of the risks relating to sending protected health information via email before they sign the authorization. Most companies have a consent form that clients must fill out before email can be used.
- Business Associate Agreement – Many health care providers use a third party like Gmail, Microsoft, or local IT company for email services. These and any other external vendor services are referred to by HIPAA as “Business Associates”, and are required to sign an agreement that states they will protect a patient’s confidential information with the same high standards required of the health care clinic itself.
Things You Do Now
If you wish to avoid damaging and potentially costly HIPAA data breaches for your clinic, here are some action items.
- Staff training – You should set company policy that defines which email accounts and devices should be used to send ePHI, what information should never be sent via email (e.g., mental health or substance abuse info, etc.), and who they are allowed to email (patients, other providers or staff, etc.). Then make sure new staff are trained, as well as overseen along the way for compliance.
- Privacy Statements – A privacy statement should be automatically appended to the end of every outgoing email. Your statement reminds recipients that email is inherently insecure, states that the email is privileged and confidential, and tells the recipient who to contact if they are not the right person. Speak with your email / IT provider – they should be able to set this up for you pretty easily.
- Secure email systems – involving use of 3rd party servers to house and transmit emails and documents. Those with GE Centricity systems may be familiar with a version of this, Secure Messaging, which does not actually send emails with confidential info but sends links. Recipients click the link, login to an account, then view the email and content. The best systems will automatically read your email on the way out of local network, look for sensitive terms (like social security numbers, diagnoses like “diabetes,” medication names like “Zoloft,” etc.), and automatically send these encrypted and securely, while allowing regular emails through normally.
- TLS between mail systems – This is a secure transfer system that can be enabled without much difficulty between your email system and another known company e.g. a hospital or major vendor. Once configured all email between your users and theirs will be encrypted across the internet using mandatory TLS encryption, allowing open ePHI exchange between clinical providers, etc. Staff of course would have to be informed which hospitals and vendors they can freely send and receive from, and which they cannot.
- Password protect documents – A quick and easy method to add security if you must send a report or something sensitive to a vendor. Add a password to the Word or Excel document, attach to the regular email, then call the recipient to share the password to open the document. Note: you wouldn’t want to include the password in the same email!
- Business Associate Agreements – If you don’t already have these for all your vendors, get them. Don’t use an email provider who refuses to sign HIPAA Business Associate agreements for your medical practice. Paid Google and Office365 services will sign such an agreement. Free services like free Gmail, Yahoo Mail, Hotmail/Outlook.com won’t.