Provided by: Jennifer Kirschenbaum, Esq.
May 14, 2019
Can I use email to communicate with patients? The patients give me their email addresses when they come in.
Yes, however, under the Security Rule (a part of HIPAA) each covered entity (inclusive of medical practices) is required to implement safeguards for electronic protected health information. The guidelines are not explicit in practical requirements because there is a spectrum of acceptable compliance. What we do know is all covered entities can use the internet for communications - its not prohibited - but all covered entities should engage in a risk assessment and implementation of physical, administrative and technical safeguards (which we will cover in a June 11 webinar, registration below).
To further confuse, the Office for Civil Rights offers this direction -
Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?
The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.https://www.hhs.gov/hipaa/for-professionals/faq/2006/does-the-security-rule-allow-for-sending-electronic-phi-in-an-email/index.html
Conducting and Implementing Security Risk Assessment Recommendations
Date and Time
Tue, Jun 11, 2019 12:00 PM - 1:00 PM EDT
Join Jennifer for a discussion on the Security Risk Assessment process and implementing practical recommended solutions.Registration