Sending an email that complies with HIPAA security policies has certain factors that need to be considered. There are certain do’s and don’ts of the email. For HIPAA and email to coexist HIPAA security training should be followed religiously. As per HIPAA privacy rule allows covered entity or business partners to communicate electronically by, means of email with their patients, provided reasonable safeguards are followed while communicating.
Also if the patient reaches out to the health care provider by way of email, the provider can assume it to be a valid and approved means of communication. If the provider ascertains that the patient does not accepts the possible risk of using encrypted email, the provider should alert the patient and thereafter continue to communicate by means of email.
The privacy rules moves further and states that patients have the right to ask the provider for other means of communication. This implies that provider should communicate with the patient as per the convineance of the provider. If the use of unencrypted email is not acceptable to the patient then other and more safer and secure means of communication should be offered and accommodated.
Since security rules does not prohibit the use of email to send ePHI, it however outlines certain standards to protect any unauthorized access to ePHI. Here is a list of best practices to ensure compliant e-mail along with the HIPAA security policies:
1] ENCRPT EMAIL MESSAGES- If the provider is not using the patient portal or email application, encrypt all sent mail. In addition also if there is an attachment it also be encrypted.
2] CAPTURE EACH PATIENT’S CONSENT TO RECEIVE COMMUNICATION BT EMAIL- Communication consent should be stored for each patient. If the patients opt for email or do not opt for email it should be well documented in written.
3] UTILIZE A SECURE HIPAA COMPLIANT EMAIL APPLICATION- Any communication that is done by means of email should be in compliance with HIPAA security policy.
4] MESSAGE PATIENTS THROUGH AN EMR PORTAL- The perfect option to send messages in compliance with HIPAA security, is the secure EMR portal. Patients may log in to view appointment reminders, test results, and physician messages without the threat of the messages being leaked out.
Transmission security in HIPAA requires that PHI remains secure both at rest and in transit. Thus the information must be protected on workstations and servers and encrypted at each level and email crosses the Internet network. Upholding transmission security affects email systems healthcare professionals use. There is necessity to use Business Associate Agreement. This BAA covers server and the rest of chain is to be protected by the provider and patient. In case if there is any breach then both are parties are liable.
Email disclaimers and a notice of confidentiality does not permit to send information without encryption. A disclaimer on email is not sent for this purpose but it merely informs the patients and recipients about the gravity of secrecy of the PHI and how should it be treated.