Beginning with the Health Insurance Portability and Accountability Act (HIPPA) in 1996, new legislation has continually strengthened patient privacy regulations. In 2009, the HITECH act was passed to ensure the protection of patient information and listed actions to be taken if patient information was violated.
The Office for Civil Rights (OCR) enforces email compliance via the HIPAA Security Rule. Email communications between covered entities and patients are allowed as long as “reasonable” safeguards are provided. These safeguards include notifications, secure portals, and email encryption. Covered entities include health care providers, health plans, and health care clearinghouses.
Although emails have been in use for over twenty years, they have not considered a secure form of communication. Use of emails between healthcare providers and patients has become increasingly widespread. Emails are not secure unless encrypted. In addition, secure emails sent to smartphones may lose their encryption as they translate back to web-based email clients (such as Google).
The HITECH act of 2009 stipulates embarrassing consequences if even one patient complains of a privacy violation. If a security breach occurs with one patient, it signifies that breaches are occurring with multiple patients. Such a violation requires notification of several parties. First, the Secretary of Health and Human Services must be notified. Next, all patients of the covered entity must be notified. Finally, the covered entity might need to contact media to fulfill notification requirements. These requirements are nullified if the information was encrypted.
No health care provider or entity wishes to become the bulls-eye of media scrutiny. Health care providers (and associated entities) can take actions to ensure HIPAA email compliance.
Health care providers using EMR (electronic medical record) systems can utilize secure portals within their systems to send and receive protected patient communications. This is an ideal and cost-effective method for communicating with clients. The security of these portals must be thoroughly tested before utilization. Secure portals typically have web addresses beginning with https (note the “s” at the end). These letters translate to hypertext transfer protocol secure.
HIPAA email compliance requires patients be informed about options concerning email correspondence in a variety of ways. In the past, the federal government urged healthcare organizations to practice voluntary compliance. This voluntary request has been replaced with mandates and methods of censure. HIPAA compliant email practices include a number of provisions.
All patient emails must contain disclaimers to satisfy compliance requirements. This means a covered entity must provide online email notifications and visible “physical” notifications warning patients about the potential security risks of transmitting “protected health information” (PHI) via email. If your entity includes a web page for submitting email questions, paste a prominent statement stating, “Email communications are not secure.” This would not apply to a secure portal.
Create an email signature for all outbound email communications informing patients that email communications are not secure and can be intercepted by unknown parties. Use this same signature to inform patients not to disclose personal information such as date of birth or medical information. Counsel your patients that it is not necessary to include medical information in email communications. Place disclaimers in multiple locations including websites, the walls of your office and in your email communications.
Document your patient’s consent to receive email communications. Use “Emergency Contact Sheets,” to provide areas for email consent. If you are using an EMR system, avoid entering the patient’s email address into the system. This will ensure patients do not receive email appointment reminders and other notifications.
Electronic health record (EHR) systems allow access to secure patient portals. Guide your patients to use these portals for sensitive communications. These portals are designed to exceed HIPAA security standards and allow for secure communications including credit card payments, prescription refills and even access to medical records. As a provider, you must ensure these portals are adequately tested by your EHR Portal provider and that you are provided with certificates of security.
If you must use emails to communicate with clients, use secure HIPAA compliant email encryption applications. There are many such applications on the market. The purpose of HIPAA compliant email applications is to:
- Use secure email servers
- Control who is able to read, copy or forward emails
- Create “read” limits and set expiration dates on sent emails
- Encrypt email accounts
- Allow encrypted emails to be sent from any computer
- Allow for viewing of encrypted emails from any computer with internet access
- Create advanced security settings that disable printing and copying abilities
- Encrypt not only email text but also attachments
The HIPAA Security Rule creates standards to protect electronic personal health information (ePHI). The Security Rule requires appropriate safeguards to ensure confidentiality of ePHI. The Security Rule enforces compliance with existing standards and may investigate complaints and perform compliance reviews.
If your organization is a covered entity that must comply with HIPAA email regulations, it is imperative to act in accordance with the Security Rule. The penalties for non-compliance range from civil penalties of $100.00 per violation up to criminal penalties of $250,000.00 and ten years in jail for intentional non-compliance.
At best, any violation will result in patients being notified and negative publicity. Compliance checks are ongoing and every covered entity must develop and implement security procedures including documentation. Compliance policies must include control and verification procedures.
For health care providers who do not wish to use secure portals or HIPAA compliant email applications, avoid placing ePHI in the body of an email and manually encrypt files sent as email attachments. Electronic patient health information may be sent over an open electronic network as long the information is adequately protected.
The rules of HIPAA email compliance require that a health provider or covered entity exercise reasonable precautions. This includes checking email addresses for accuracy and sending test emails to patients for address confirmation. If the patient initiates email contact, the provider may assume email contact is acceptable to the client.
There are multiple products on the market to secure and encrypt email correspondence. Be aware of the regulations, requirements and especially the penalties for failing to secure email correspondence containing ePHI. If you are accessing sensitive information via smartphones and tablets, verify encrypted emails remain encrypted on these devices. Comply with HIPAA email regulations and avoid the limelight of harmful media publicity.