HIPAA Compliance is Needed for Emailed Appointment Reminders
Twice in the past few weeks I have received appointment reminders or scheduling information from doctors via email — via insecure, non-HIPAA-compliant email.
An email message contains identifying information: my email address and my name. The appointment email messages also contain information about “the past, present, or future provisioning of health care to an individual” … me! Taken together, this means that these email messages are ePHI (more details – what is ePHI?) and needed to be secured in a HIPAA compliant manner.
That they were not compliant was obvious to me:
- One came from the doctor’s personal Gmail account — nothing from Gmail or Google Apps is compliant.
- The other came from an automated system, but landed in my INBOX as a regular looking email and TLS encryption was not even used for delivery (i checked … here is how you can check).
Of course, since email security is what we do for a living here, I asked each of these practitioners about it … for their own sake and the sake of their other patients if nothing else (I was not really concerned about my privacy with respect to these items, but that doesn’t mitigate the need for compliance).
The Gmail Case
In the first case, where the doctor was emailing appointment information from Gmail, she honestly had no clue that (a) this was not secure, and (b) that she even had to consider the security of this with respect to HIPAA. She also realized that she needed to update a lot of other things for compliance, as she had been so focused on her work that compliance was not on her radar. We see that a lot with small practices!
The Automated System Case
In the second case, the offending email was from an automated system letting me know of my upcoming optical appointment. When discussing it with the head doctor at the practice, the take away message was:
- He had no idea it was not secure.
- He was aware of the need for HIPAA.
- They outsource this stuff to a company who manages things for them and is medically specialized — so he merely assumed that it was all fine.
- He had no HIPAA Business Associate Agreement with them and never reviewed what they actually do for compliance or risk.
We see this a lot too — companies working in the medical field without a concept of the legal implications of doing so. Combine this with time-pressed doctors who would rather just get things working and trust the “technical stuff” to someone else, and you have a recipe for non-compliance and breach.
What To Do about Appointment Notices
Appointment notices are crucial to any practice as it helps reduce missed appointments and thus helps maximize “sales”. They have to be compliant, however. So, how can you do that? Here are some ideas:
- Manual Sending: You can send notices manually from a HIPAA-compliant email system.
- Automated Sending: Your automated system can connect securely to a HIPAA-compliant email system and send these messages as bulk transactional compliant email.
- Secure Portal: You could have a secure patient portal and send your patients a regular email notice to come look in the portal for an announcement. Since the regular email has no information in it other than “get an announcement” … there is no actual PHI and thus the message can go insecurely.In fact, this is how many secure email systems work — they send an insecure notice with no-PHI to recipients who click on a link and open a secure portal to read the PHI in a compliant way.
- Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price
- How to Setup HIPAA Mutual Consent for Insecure Email at LuxSci
- Are Replies to my HIPAA-Compliant Secure Emails also Secure?
- If my web site is very simple, do I have to worry about HIPAA compliance?
- HIPAA: A Crash Course