The HIPAA safeguards principles state that individually identifiable health information should be protected with reasonable administrative, technical and physical safeguards to ensure confidentiality, integrity and availability and to prevent unauthorized or inappropriate access or disclosure. And, while privacy rules allow health care providers to share PHI electronically for treatment purposes, there are important measures that must be in place to ensure that your email program is HIPAA compliant.
What is HIPAA compliance? With respect to electronic transfer of personal health information via email, it all centers on protecting patient privacy rights through avoiding unintentional disclosures.
While there are a myriad of ways that a patient’s privacy can be compromised via email, it’s important to start with the most obvious and most common cause of breach – sending emails containing private information to the wrong email address. This is why it’s critically important to not only check the accuracy of the email address but also double confirm by sending an email requesting verification to the address of record before sending anything containing personal information.
Further, while privacy rules do not specifically require email encryption, HIPAA compliant email programs should include other safeguards to ensure that treatment related communication between health care providers and patients is kept confidential. For unencrypted communication threads, this typically means limiting the scope and detail of what’s communicated via email to protect confidentiality and regulatory exposure.
However, patients benefit significantly from clear, timely and comprehensive information shared safely between themselves and their care providers. When multiple health care providers can communicate freely without concerns around protecting patient privacy and HIPAA compliance, all parties are fully informed and equipped to jointly deliver the best possible care.
Assuming that email serves as a reasonable, alternative means of communication between patients and providers, patients can opt to receive unencrypted emails. And, if patients initiate communications with providers via email, it seems reasonable to assume that they’re open and willing to communicate electronically unless specifically stated otherwise.
However, since most patients don’t fully understand the risks associated with electronic transmission of personal health information, it’s important to proactively protect them from breach. It’s not only in the best interest of the patient but also in the best interest of the provider to avoid legal and regulatory exposure associated with HIPAA compliance failure.
The HIPAA Privacy Rule does allow covered entities participating in electronic health information exchange to establish a common set of safeguards to protect patient privacy. While it does require that each covered entity install reasonable safeguards around intentional and unintentional improper use or disclosure, each entity can evaluate its own needs and functions to implement the proper protocols.
We’re all entitled to privacy as a patient, and we all want the best possible care. And the best possible care is achieved when physicians and patients have an open and clear line of communication that’s properly protected. This is what HIPAA compliant email programs are all about.