Communicating with patients compliantly by email?

Provided by: Jennifer Kirschenbaum, Esq.

March 16, 2017

Question:

Hi Jen,

Can I communicate with patients via email and if so what privacy steps must I put in place to comply with HIPAA?

Thanks,
Dr. V

Answer:

Michael Foster, Esq. of K&K's healthcare department has provided today's response -

The short answer is yes. HIPAA’s Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. HIPAA does not prohibit the use of unencrypted e-mail (gmail, yahoo mail) for treatment-related communications however; other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. Also you must have patient consent to communicate via email. You can ensure your patients are providing proper consent for uses and disclosures with a proper consent form. A proper consent form would: (i) be in writing; (ii) have the patient provide the email address; (iii) have Patient indicate what content you can disseminate by email; and (iv) incorporate right to rescind by Patient as required by HIPAA. The HiTECH Act, HIPAA, requires each entity with ePHI to have a Security Policy.

HHS also recommends covered health care providers employ an Encryption system to communicate with patients. Encryption is “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” 45 CFR 164.304. Health data encryption is when a covered entity converts the original form of the information into encoded text. Essentially, the health data is then unreadable unless an individual has the necessary key or code to decrypt it. According to HHS covered entities can determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.

Additional guidelines on Encryption can be found below on HHS’s website.
http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html

Ask us a question

Jennifer Kirschenbaum, Esq. Partner

Ask us your questions. We will help if we can & let you know before any charge is incurred.

Jennifer@kirschenbaumesq.com

Educational Webinars

A discussion on Market impact to practice

Preparing for PPP Forgiveness and Patient Care Impacts with Covid 19

Looking for the KK Healthcare Exchange? Click Here.

MISSED OUR RECENT WEBINARS? CLICK HERE ANYTIME!

Looking for HIPAA and compliance forms?
Click here to visit our website.

Have a question or comment for Jennifer?
Contact Jennifer at Jennifer@Kirschenbaumesq.com or at (516) 747-6700 x. 302.

Interested in having Jennifer speak at an event or
at a residency/fellowship program?
Contact Jennifer directly at (516) 747-6700 x. 302 or at Jennifer@Kirschenbaumesq.com

Click here to learn about
K&K's Prepaid Legal Audit/Investigation Defense Now!