Posts Tagged ‘hipaa’
Patient Privacy Issues with Unencrypted Email
Monday, August 28th, 2017We have scoured the internet for real-life examples of emails in medical scenarios to convince our readers of our points in past posts about the perils and pitfalls of using unencrypted emails for communications. Email is one of the oldest (some even refer to it as “legacy”) tools in our always-connected, digital world. However, its use between patients and their medical providers and between doctors and their business associates can be fraught with issues that may violate the Health Insurance Portability and Accountability Act (HIPAA) provisions.
The HIPAA privacy rules require covered entities and their business associates to protect patients’ health information from unauthorized disclosure. The HIPAA security rules do not mandate specific technologies or prohibit others. In fact, HIPAA:
“…allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
An imperfect understanding of patients’ privacy concerns, lack of proficiency in using computers or access to them, and misguided policies on usage play a part in HIPAA privacy breaches. The consequences of such breaches can be quite burdensome for the medical provider.
Medical providers often forget (or might even be unaware of) “reasonable safeguards” that can easily be implemented to prevent emails from leaking information that patients might consider as compromising their privacy. By analyzing real-life examples of how email is used (well, actually misused) in practice, we hope this post can convince you of reasonable safeguards to make email a valuable and efficient part of your workflow while conforming to HIPAA.
Read the rest of this post »
Does my patient intake form need to be HIPAA compliant?
Wednesday, August 2nd, 2017
Our latest “Ask Erik” question involves questioning when web-based patient-intake forms need to be HIPAA compliant:
B.G. asks:
“Do we need to be HIPAA compliant if our intake forms have patient name, birthday, and address, but no social security number or other insurance information?”
The short answer is “YES“.
You need to be concerned about HIPAA compliance when you ask or send identifiable health information. It is perhaps not surprising, but “identifiable” is a really broad concept.
Read the rest of this post »
Opt-In Email Encryption is Too Risky for HIPAA Compliance
Tuesday, July 11th, 2017A majority of companies that offer email encryption for HIPAA compliance allow senders to “opt-in” to encryption on a message-by-message basis. If the sender “does nothing special” then the email will be sent in the normal/insecure manner of email. If the sender explicitly checks a box or types a keyword in the body or subject of the message, then it will be encrypted and HIPAA-compliant.
Opt-in encryption is desirable because it is “easy.” End users don’t want any extra work and don’t want encryption requirements to slow them down, especially if many of their messages do not contain PHI. It is “good for usability” and thus easy to sell.
However, opt-in encryption is a very bad idea with the inception of the HIPAA Omnibus rule. Opt-in encryption imposes a large amount of risk on an organization, which grows exponentially with the size of the organization. Organizations are responsible for the mistakes and lapses of their employees. Accidentally sending unencrypted emails with PHI is an automatic breach with serious penalties.
Read the rest of this post »
How Is HIPAA-Compliant Email Different from Secure Email?
Wednesday, June 21st, 2017Protected health information (PHI) is heavily regulated under HIPAA, but the exact details can be confusing. The regulations are designed to keep everyone’s private information safe, but they also put a significant amount of responsibility on businesses.
HIPAA regulations apply to just about every aspect of a person’s medical information, including their transit, storage and security. Because email is such an important and extensively-used form of communication, HIPAA regulations apply to it as well.
Some may think that secure and encrypted email is all you need to keep PHI safe and emails compliant. The reality is that HIPAA email regulations go above and beyond standard secure email. To protect your business, you need to make sure that your email provider is HIPAA-compliant, not just secure.
Read the rest of this post »
