January 10th, 2014

How to Setup HIPAA Mutual Consent for Insecure Email at LuxSci

We have recently discussed how mutual consent may be used to send individuals ePHI via insecure email under HIPAA in certain cases.

If you have decided to use mutual consent in your organization and are properly informing and warning your patients of the privacy risks, getting proper written waivers from them, and well documenting everything in preparation for a HIPAA audit, then all you’re all set to send the ePHI insecurely.

Right?  Well, there is a little more to it than that.

Insecure Email with ePHI is still email with ePHI

All the rules of HIPAA that apply to dealing with ePHI continue to apply to email messages that you send [insecurely] containing ePHI under a mutual consent agreement.

In particular:

  1. The email must be sent through a HIPAA-compliant email provider with whom you have a Business Associate Agreement.
  2. You must archive copies of all such emails that you send
  3. You must keep an audit trail of the sending of such email, including the fact that the email was not sent securely
  4. You must follow all of the other HIPAA-related guidelines.

This implies that you should send the insecure ePHI through the same provider you would use for regular encrypted ePHI — you can’t just run to insecure GoDaddy, regular Gmail, or or use some off-the-shelf appointment reminder software because encryption is not required.

Mutual Consent Encryption Opt Out at LuxSci

LuxSci has several different work arounds for customers who need to send some PHI-laden email and some regular email … so the regular email can be send normally, unencrypted.  These include:

  1. Have two separate users, one HIPAA-compliant and one not.  Select the appropriate user when sending the respective kind of email.  E.g. “doctor@secure.doctor.com” and “doctor@doctor.com” for the secure, and regular email, respectively.
  2. Enable encryption Opt Out on a per-message basis.

The first method, separate users, is not really applicable for mutual consent.  This is because messages sent through the regular email user are not considered HIPAA-compliant and should never contain ePHI.  You might not have email archival on your insecure users, and there would be no special log indicating that a particular message was chosen to be sent insecurely.

The second option, explicit opt out, is recommended because:

  1. The message is sent by a HIPAA-compliant user
  2. The message will be archived if you have archival for your HIPAA email
  3. The sender chooses on a per-message basis if it can be sent insecurely
  4. The fact that it is sent insecurely is logged along with the sender, recipient, subject, etc.  This log is kept indefinitely.
  5. Then message is treated like every other ePHI-laden email, just unencrypted.

It is desirable to opt out for each insecure email that may contain ePHI, just like it is desirable to opt out of sending securely for messages that do not contain ePHI as this simple requirement of choice on the sender’s part greatly helps prevent

  • Messages going insecurely that should have gone securely (a HIPAA breach)
  • Sending types of ePHI insecurely that are not covered by mutual consent (e.g. sensitive lab results vs an appointment reminder)

Opting out of encryption on a per message basis is much safer and more secure than Opting in … which is very dangerous under Omnibus.

For more information on how to set up Opt Out for encryption at LuxSci, see:

When using HIPAA encryption opt out at LuxSci, the system is essentially asking you to confirm that the message in question does not contain ePHI at all.  This is appropriate when using it to differentiatePHI-laden vs normal email.  When using it for mutual consent unencrypted email, you follow the same procedure… so that as far as the system is concerned, it does not contain ePHI that must be encrypted.


Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.