ePHI in Text Messages and Insecure Email: Does HIPAA allow Mutual Consent?

January 18th, 2015

“Lets just agree that insecurely texting or emailing your medical appointments or lab results to your is OK….”  Can you actually have such a discussion and agreement with a patient or organization?

HIPAA is pretty adamant that email messages containing ePHI must be properly handled, and that includes transport encryption and archival.  However, encrypting all routine communications between doctor and patient is excessively tedious in some situations.

Enter the idea of “Mutual Consent” where doctor and patient both agree that email containing ePHI can be sent from the doctor to the patient’s regular email account without any special considerations or encryption.  This is a small “holy grail” that doctors like to imagine as “if all their patients consent then the doctors do not have to worry about secure email.”

It’s really not that simple, though.  Here we explain way.  Note that this is not intended as legal advice … you should always contact your lawyer for advice on how HIPAA applies specifically to your situation and for clarification on grey areas of the law such as this.

Mutual Consent Background

HIPAA Privacy Rule, HHS states (in the answer to FAQ #3 “Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?”):

The Privacy Rule allows covered health care providers to communicate
electronically, such as through e-mail, with their patients, provided they apply
reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example,
certain precautions may need to be taken when using e-mail to avoid
unintentional disclosures, such as checking the e-mail address for accuracy
before sending, or sending an e-mail alert to the patient for address confirmation
prior to sending the message. Further, while the Privacy Rule does not prohibit
the use of unencrypted e-mail for treatment-related communications between
health care providers and patients, other safeguards should be applied to
reasonably protect privacy, such as limiting the amount or type of information
disclosed through the unencrypted e-mail. In addition, covered entities will want
to ensure that any transmission of electronic protected health information is in
compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164,
Subpart C.

In particular, this implies that email messages CAN be sent insecurely to patients.  In the comments to 164.524(c) of the Federal Register, Covered Entities have asked for clarification on this exact point (see this link for reference … this same content is also in the preamble to the HIPAA Omnibus Final Rule):

Comment: Several commenters specifically commented on the option to provide electronic protected health information via unencrypted email. Covered entities requested clarification that they are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. Some felt that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome on covered entities. Covered entities also requested clarification that they would not be responsible for breach notification in the event that unauthorized access of protected health information occurred as a result of sending an unencrypted email based on an individual’s request. Finally, one commenter emphasized the importance that individuals are allowed to decide if they want to receive unencrypted emails.

Response: We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome on covered entities and believe this is a necessary step in protecting the protected health information. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.

What does this mean?

So, it appears that while the HIPAA Security Rule expressly states that ePHI should be encrypted, the commentary indicates that it can be sent insecurely if:

  1. The individual is clearly informed of the security risks of that and a secure option is recommended.
  2. The individual indicates in writing that it is OK to send them ePHI via insecure email.
  3. The Covered Entity keeps explicit records of all of these “mutual consent” cases, including the content of the risk warnings and the written approval from the individual.

Ramifications and Limitations

Clearly Warn and Document Everything in Writing

If you send ePHI to an individual insecurely and that is viewed by someone else, then that would be a breach of HIPAA under normal circumstances. In order to limit your liability and culpability, you need to:

    1. Prove that you gave clear warning and advise to all individuals involved, regarding the dangers of sending ePHI insecurely.
    2. Prove that they explicitly agreed to insecure communications.

This means, for every patient or individual that you wish to establish mutual consent for insecure email, that you need to:

  1. Sit down with them and present the options and properly warn of the danger of insecure email.
  2. Have them explicitly sign a waiver for mutual consent.
  3. Do not bury that warning and waiver on boiler plate paperwork that everyone signs and which few read.  This should be an explicit opt in to mutual consent.
  4. Save these documents for each individual and have a clear list of who has opted for mutual consent.

Don’t Forget Email Archival and Auditing

Even if you can send certain email messages insecurely via mutual consent, HIPAA still requires archival of these communications.  Also, you must keep a record of all of these messages that were sent and that they were sent insecurely.

E.g. don’t run off to Gmail to send these messages just because they can be insecure!  You must still use a HIPAA-compliant system that can archive them, log them, ensure your “saved sent” copies are HIPAA compliant, etc.  Mutual Consent is not a get out of jail free card…. it’s more of a “make things a little easier for the individual and take larger risks upon yourself card“.

Who Can’t Consent?

The guidance from Health and Human Services indicates that it is possible to establish mutual consent between the organization and “individuals”.  E.g., people that are not otherwise Covered Entities or Business Associates.  This means that:

  1. All ePHI-laden email between members of your HIPAA-covered organization must be protected per the Security Rule (no mutual consent for internal communication of ePHI)
  2. All ePHI-laden email with with Business Associates must also be protected by the Security Rule (no mutual consent)
  3. Due to the requirement for a systematic, documented procedure for warning the individual, having a waiver signed, and documenting this process, not “just anyone” at your organization should be permitted to establish “mutual consent” agreements with individuals — only those trained in the process and designated with that authority by your HIPAA Security Officer should do that.

Can All Email Be Sent Insecurely under Mutual Consent?

This is really ambiguous.  On the one hand, you have consent.  On the other, the individuals are not really savvy in the actual risks.  Finally, the sensitivity of the ePHI can vary greatly from an almost innocuous appointment reminder to a very, very sensitive test result.  The risk to the patient thus also varies greatly.  If someone discovers an appointment, it might not be terrible.  If someone discovers that someone has a disease, the results could be disastrous.

The way HIPAA works, it falls on you to determine if the risks involved, even under mutual consent, warrant the method of communications involved.  You have to show, in a HIPAA audit, that you have everyone’s best interests in mind and are adequately addressing the risks with the technology at hand.

What about SMS / Text Messages

The same considerations regarding insecure email can be generalized to sending ePHI to individuals using insecure text messages, which is otherwise not a good idea under HIPAA.

Be Careful, Mutual Consent is a Legal Grey Area!

The concept of mutual consent only appears in comments and preambles to the actual HIPAA law.  This is guidance by Health and Human Services on how to interpret the law, and not necessarily law itself.  However, some would also argue that it can be interpreted that if an individual requests ePHI via insecure email, then you are required by HIPAA to provide it insecurely. Once more — we suggest that you consult your lawyer for the most current interpretation of this area.

If you are under the gun in a breach or law suit situation and you are sending ePHI in insecure email, you will be relying on:

  1. How well and clearly you warned your patients.
  2. If they were truly informed of the issue and actively opted for mutual consent.
  3. If this process was documented for all individuals in question.
  4. If it can be shown that this opt in was explicit and not implicit via signing a long boiler plate “getting started doing business with me” form.
  5. If the ePHI being communicated was not very sensitive so that the privacy impact on the patient upon compromise was minor.
  6. If your policies for managing consented vs non-consented patients are clear, documented, and followed.
  7. If you have policies for determining what should NOT be sent insecurely, even in the face of mutual consent.
  8. All of this is well documented in your HIPAA Risk Analysis.

Furthermore, you should review all of this with your lawyer and get his sign-off on it with respect to your particular organization’s business practices.

We would recommend avoiding Mutual Consent altogether and using a proven HIPAA Compliant secure email or text message option such that

  1. The individual recipients pick up the secure email messages via a secure web portal, or
  2. Where the individuals are advised to get a Gmail or other email account (if they do not have one) that supports TLS for inbound email encryption and then sending the messages from a HIPAA-compliant email provider that allows forced use of TLS for email transport to such individuals.  This will give those individuals “business as usual” email access and also meets the HIPAA Security Rule’s mandate for transport encryption.  And other non-TLS recipients can receive the messages much more securely via the secure web portal method.

This protects you from mistakes in sending insecurely to someone who has not consented, it protects your patients from “breaches” arising due to consent, and it shows that you care about their medical privacy.

If you do have cases where you use mutual consent to send insecure email, you should do it on a per-email basis (opting for non-encryption) and having each such choice clearly logged and audited.

Under Omnibus, even one missent email is reportable … just like “Opt In” encryption, use of mutual consent leaves lost of room for reportable and costly errors on your part.

Best to avoid them if possible.