Need further proof that, even two decades after its passage, HIPAA continues to raise questions about compliance? Having already considered the do’s and don’ts of HIPAA-compliant social media and HIPAA-compliant mobile strategies, consider this scenario shared by Jim Hook, Director of Consulting for The Fox Group LLC:
The question at hand regarded a doctor who, having left a practice to start his own, sent out a mass email explaining how patients could request their records from the original practice. Not only did the distribution list include people who were identified as active patients of his former practice; it apparently was obtained from a vendor the original practice had used for its digital marketing. Long story short, the questioner wanted to know if this constituted a HIPAA breach and, if so, by whom?
While Hook is quick to assert he’s not providing legal advice (nor is this blog), he suggests that the email does, indeed, constitute a breach, at least for the doctor who sent it and quite possibly the vendor who provided him with the list. He also notes that, even if the original practice wasn’t involved, reporting the disclosure could subject it to further scrutiny by the HHS’ Office of Civil Rights, which investigates and enforces the regulations.
It’s a sticky wicket and HHS guidance is pretty vague on what does and does not constitute compliance, saying essentially that using email is okay as long as “reasonable safeguards” are employed, leaving “reasonable” open to interpretation. For his part, Hook provides more practical advice, some of which is summarized below:
Be the HIPAA expert on behalf of your patients
Before considering corresponding with patients via email, remind them that, unless it’s encrypted, email is not a secure medium and therefore presents a risk of divulging PHI. For their own protection, suggest patients avoid including any PHI in their emails, and remember that, even if they do, that doesn’t mean they’ve given their permission for you to do the same.
Confirm (in writing) the patient’s consent to receive communication by email
For the record, the regulations say that if a patient initiates communications with a provider using email, then a healthcare provider can assume that email communications are acceptable to the individual, unless the patient has explicitly stated otherwise. Even so, the smarter strategy is to invite patients to opt-in for email communications when they fill out their initial paperwork, especially when such communications may include PHI.
Utilize a secure, HIPAA-compliant email application
If patients give you permission to communicate via email, consider using a system that automatically encrypts such messages. A quick internet search for “HIPAA compliant email services” returns dozens of vendors. If a patient asks you to send protected information to an unsecured address (e.g., web mail services), remind them that such systems are not secure, confirm they still want the information sent, and document their approval.
Consider conducting PHI-related communications via a patient portal
According to a study by aetnahealth, 87% of patients want electronic access to their medical records, yet only 37% have such access through a patient portal. Research also suggests that providing a portal facilitates patient retention through easier appointment scheduling, accessing treatment plans, etc., not to mention, the ability to discuss care via a secure medium. Most portals utilize secure channels for the information available via the portal, writes Hook, but make sure the vendor certifies that fact — and then test it yourself prior to encouraging patients to use it.
Whatever strategy/strategies you decide to use, it’s worth remembering that while HIPAA is primarily designed to protect patients, complying with the guidelines will protect your practice, too.