For more information, see:
Read the rest of this post »
We have scoured the internet for real-life examples of emails in medical scenarios to convince our readers of our points in past posts about the perils and pitfalls of using unencrypted emails for communications. Email is one of the oldest (some even refer to it as “legacy”) tools in our always-connected, digital world. However, its use between patients and their medical providers and between doctors and their business associates can be fraught with issues that may violate the Health Insurance Portability and Accountability Act (HIPAA) provisions.
The HIPAA privacy rules require covered entities and their business associates to protect patients’ health information from unauthorized disclosure. The HIPAA security rules do not mandate specific technologies or prohibit others. In fact, HIPAA:
“…allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
An imperfect understanding of patients’ privacy concerns, lack of proficiency in using computers or access to them, and misguided policies on usage play a part in HIPAA privacy breaches. The consequences of such breaches can be quite burdensome for the medical provider.
Medical providers often forget (or might even be unaware of) “reasonable safeguards” that can easily be implemented to prevent emails from leaking information that patients might consider as compromising their privacy. By analyzing real-life examples of how email is used (well, actually misused) in practice, we hope this post can convince you of reasonable safeguards to make email a valuable and efficient part of your workflow while conforming to HIPAA.
Read the rest of this post »
Our latest “Ask Erik” question involves questioning when web-based patient-intake forms need to be HIPAA compliant:
B.G. asks:
“Do we need to be HIPAA compliant if our intake forms have patient name, birthday, and address, but no social security number or other insurance information?”
The short answer is “YES“.
You need to be concerned about HIPAA compliance when you ask or send identifiable health information. It is perhaps not surprising, but “identifiable” is a really broad concept.
Read the rest of this post »
A majority of companies that offer email encryption for HIPAA compliance allow senders to “opt-in” to encryption on a message-by-message basis. If the sender “does nothing special” then the email will be sent in the normal/insecure manner of email. If the sender explicitly checks a box or types a keyword in the body or subject of the message, then it will be encrypted and HIPAA-compliant.
Opt-in encryption is desirable because it is “easy.” End users don’t want any extra work and don’t want encryption requirements to slow them down, especially if many of their messages do not contain PHI. It is “good for usability” and thus easy to sell.
However, opt-in encryption is a very bad idea with the inception of the HIPAA Omnibus rule. Opt-in encryption imposes a large amount of risk on an organization, which grows exponentially with the size of the organization. Organizations are responsible for the mistakes and lapses of their employees. Accidentally sending unencrypted emails with PHI is an automatic breach with serious penalties.
Read the rest of this post »
