Today I am giving you a quick HIPAA update and tackling one of the most frequently asked questions that I get daily from my members. I've counseled most of them on this, and now it's time to share the information with you.
The recent, current question that practitioners are always asking me is, "Can I email my patients?" In other words, does HIPAA allow you to email your patients? The answer from HHS is a qualified yes, but I would say it's a qualified no from me. Let's take a look at these differences.
The United States Department of Health and Human Services (HHS) has an article first published in 2008 (last refreshed in 2013) that says the Privacy Rule does allow you to email patients, even for health issues and treatment plans, which would traditionally be PHI (Protected Health Information). Also, according to HHS, unencrypted email is not prohibited and is allowed. However, the same article also references the reasonable safeguards you must adhere to under the Privacy Rule, specifically C.F.R. § 164.530(c). They go even further and say that you should be cognizant of your responsibilities under the Security Rule, citing the entire subpart "C" of CFR § 164, adding that you must remember to follow the Security Rule as well.
Remember, HHS and the Office of Civil Rights (OCR) don't expect perfection. They DO expect you to create a culture of compliance, which means striving for perfection daily. How can you prove you were striving for perfection? Include safeguards in your HIPAA Policies and Procedures Manual that are designed to comply with both the letter and the spirit of the regulations, and then actually implement and follow your own policies and procedures.
For me, if this were my practice, I would not communicate any PHI over email. This is how I advise my wife's practice, which I counsel, as well. She and her workforce are not to communicate any PHI with patients via email. Instead, they communicate through the EMR (Electronic Medical Record), sometimes called the "patient portal." There are a few reasons for this. One reason is that email is unencrypted for the most part. Some email providers may say that their emails are encrypted up to 90%, but that's not the default. You have to get the HIPAA compliant version of that email and then have that email service provider, such as Google, Hotmail, Outlook, or wherever you're using these days, sign a business associate agreement because now they'll have emails (and perhaps even archive these emails) with PHI in them. They must safeguard this information as well. This is risky!
Another reason to avoid email for PHI: when you start typing in an email address, many email service providers use autofill, which is also super risky when sending confidential information. I've made this mistake through various business or personal emails where I've tried to send an email to "John Doe," but I ended up sending it to "John Deere." I was going too quickly and sent it to the wrong John. This is too easy of an error to make, and all of a sudden, you'll have a HIPAA incident on your hands. Therefore, you don't want to send PHI over email, whether encrypted or unencrypted. While the technology is great if it's encrypted, there is still a fallible person behind the communication. Usually, the cause of HIPAA breaches is human error, so I wouldn't recommend it. Take the appropriate safeguards and train your workforce to do the same because, while HHS says that there's nothing technically prohibiting it, that won't be a great defense if there is an unintentional incident or breach due to human error.
Another point of discussion is when patients request that you send them information via email. You can do that. However, I would have them sign a consent form that basically says, "I agree and understand that email is not secure. I consent to the use of email communications for my health information." I would also suggest using an encrypted email service provider, which you usually have to pay a little bit extra for but can offer a little more protection. This way, you can more confidently send appointment reminders and some administrative communications such as a rescheduled appointments, classes you may be teaching, etc. Just be certain that you are using the appropriate safeguards under the Privacy and Security Rule. If you don't know what those are, reach out to us at Functional Lawyer, and we can fill you in. And if you do know what those are, keep on doing well in your practice and using the Security Rule Standards, the Privacy Rule Standards, and conducting your periodic reviews and self-audits of both your policies and procedures. Make sure you are covering all requirements that are entailed within Security and Privacy Rules.
To summarize, can you communicate a patient's PHI over email? Technically, yes.
But, from a risk-benefit perspective, I'd recommend not only getting an encrypted email service provider but also sending PHI, treatment, or health issue information through a more secure method, which can be messages in your EMR or EHR through the secure patient portal.
Additionally, make sure that when patients request email communication, whether the email contains PHI or not, have them sign a consent form stating that they are aware, are waiving their rights, and requesting their communications to be sent unencrypted, which they have the right to do under the Privacy Rule.
But again, there's more than one rule at play here, and the possibility for human error is high. To be safe, if your communication is treatment-related, keep it in an EMR and definitely spend a little bit of extra money to get a HIPAA-compliant, encrypted email service provider. Additionally, train your workforce on which type of communication is which--PHI emails are often related to treatment, follow-up plans, and protocols, versus administrative and logistical emails that may be more appropriate for your encrypted email service provider.
As always, if you have any questions about any of the above, follow us at functionallawyer.com and on any of our social media channels (Facebook, Instagram, Linked In, and Twitter). And you can always reach out to me directly to schedule a consultation.
The purpose of this call is to collect a "Patient History" and assessment in order to provide a 360-degree snapshot of the current legal health of your business.