Email is the most convenient way of communicating with patients. HIPAA permits email communications but expects covered entities to take the necessary precautions to protect the integrity and security of patient health information shared via email.
HIPAA email rules
HIPAA email rules require covered entities to implement controls and security to restrict access to PHI, ensure the integrity of PHI at rest, safeguard PHI against unauthorized access during transit and ensure message accountability. The language of the HIPAA Security Rule is important as some standards are ‘required’ and some ‘addressable’. Required rules must be mandatorily followed while you may or may not implement addressable rules if a thorough risk analysis concludes that implementation is not reasonable. An implementation specification deemed unreasonable can be replaced by an equivalent alternative.
Any decision you take regarding addressable specifications needs to be documented in writing. That means you cannot simply “opt out” of addressable specifications.
Sending PHI by email? Consider these risks
When transmitted via email, PHI is exposed to many risks, such as:
- the message could be mistakenly sent to the unintended recipient
- the email could be captured en route to the recipient.
- the message could be inappropriately accesed when in storage.
Read the rest of this post »