HIPAA’s encryption requirements fall in a grey area. This is mainly due to two reasons:
- encryption is required when ‘deemed appropriate’, which means email encryption is not absolutely necessary and ‘mutual consent’ can be used in place of encryption.
- there are a number of ‘addressable requirements’ pertaining to the technical safeguards as far as ePHI encryption is concerned
What exactly is mutual consent?
Mutual consent refers to a mutual understanding between doctor and patient that email containing ePHI can be sent to patients’ email account without encryption. Patients should communicate their approval in writing after being informed of the security risks and understanding that a secure option is available. You must additionally maintain all records of mutual consent.
Mutual consent does not waive off other HIPAA-related requirements. You must still use HIPAA-compliant systems, log and audit non-encryption choices, and back-up and archive all email communications sent insecurely, etc.
Encryption at rest is ‘addressable’
‘Addressable’ means that the safeguard should be implemented or an alternative to the safeguard that delivers the same results should be implemented. In the absence of both, you should document and justify why no action has been taken with regard to the safeguard.
Read the rest of this post »