Provided by: Jennifer Kirschenbaum, Esq. 

June 3, 2014

Wednesday Webinar link HIPAA Compliance - Combating Exposure with Risk Assessment and Proper Policies - Presented By Jennifer Kirschenbaum, Esq. on 28 May 2014

Question:

Jennifer, 

I was having dinner with a friend who tells me he emails patients, he told me the email is not HIPAA compliant, but he was told that if the patient in the email acknowledges that the email is not HIPAA compliant and is ok with it, then it was fine.  I am skeptical.

Please address. Thanks

Dr. P

Answer:

The Office for Civil Rights, the arm of HHS responsible for overseeing HIPAA addresses this question directly in its FAQs -  

http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html

Question:

Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

Answer:

Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.

To be safe it is advisable to ensure you are using protected communication on your end - encrypt attachments and emails before sending - work with your IT team to ensure you are taking meaningful steps to ensure HIPAA compliance.  For more information on how, view Wednesday's webinar link below.