HIPAA Email Compliance – What You Need to Know
Over the past decade, electronic messaging has become a preferred method for both personal and professional communication. Despite its rapid rise, healthcare providers remain bound by patient privacy laws and restrictions that confine doctor-patient interaction to utilize only secure forms of communication. Any attempt to step outside those boundaries could resort in massive fines and criminal penalties.
If you are a physician or healthcare provider, protecting your practice does not have to mean giving up on email altogether. However, there are some important components of the law you need to know about before taking your communications online.
Sending Electronic Protected Health Information (ePHI) Via Email
In order to clarify any confusion, the U.S. Department of Health and Human Services expressly answered a question that was on everyone’s mind regarding electronic communication of protected health information: Are healthcare providers allowed to send personal health information to a patient or other healthcare provider in an email via the Internet?
According to HHS, the simple answer is yes, PHI may be sent through electronic communications. However, there are restrictions and expectations concerning the actions taken to protect the integrity of that information and safeguard against any unauthorized access to that information. Furthermore, the responsibility lies with the healthcare provider to evaluate the security of open network communications and identify an acceptable solution for safe transmission.
The only time it is acceptable to use non-secured email is at the express request of the patient; specifically, the patient must opt-in (not opt-out) of communications and must also be fully aware of the potential risks and consequences of communicating through a non-secured platform. Not only is this is impractical for daily communication needs, it also requires you to prove that the patient is informed and has consented to these risky online interactions.
“HIPAA Rules Violation Fine Has Been Increased to $1.5 Milltion”
HITECH and the Final Omnibus Rule
In 2009, congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act with the intention of increasing HIPAA’s security and privacy rights for patients. The law was enacted with the assumption that the electronic transfer of private health information would increase in the coming years. By 2013, the U.S. Department of Health and Human Services published the Final Omnibus Rule, which included a complete set of rules and regulations designed to employ and uphold the provisions of The HITECH Act.
Under the Final Omnibus Rule, both the healthcare provider and his or her business associates are liable for protecting private health information. At 563 pages, it is hardly a small tweak to pre-existing privacy laws, either. In fact, the Final Omnibus Rule created the most sweeping changes to patient privacy regulations since HIPAA was first enacted in 1996. When it was enacted, HHS Secretary Kathleen Sebelius was quoted as saying, “The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.”
Astronomical Fines, Increased Government Power
Perhaps most notably, is the provision in the Final Omnibus Rule that substantially raises the maximum fine for non-compliance and also expands government jurisdiction to investigate and uphold the law. The Omnibus Rule allows for enormous fines determinant upon the level of negligence in breaking the law. For those found guilty of extreme negligence, the fines could soar as high as $1.5 million – up from just $250,000 under the previous HIPAA guidelines. According to Section 160.404 of the HITECH Act, first-time offenders who were not aware of their HIPAA violations typically pay lower penalties, though still as much as $50,000. Those who execute willful negligence or make repeat offenses could see their fines soar much higher.
Furthermore, greater actions are being taken to identify healthcare providers and their associates who are not utilizing secure ePHI transmission protocols. The Omnibus Rule distributes powers to the HHS to investigate any violation claims, as well as carry out randomized audits and reviews of the email practices among hospitals, physicians and other medical entities. In fact, it not only allows for random audits – it mandates it.
Anyone who is found guilty of patient privacy negligence under the new HIPAA, HITECH and Omnibus rules will not only pay fines but may also be prosecuted for criminal behavior. It is possible that in some cases, individuals who failed in their responsibility to protect private patient information could face up to 10 years of imprisonment in addition to civil and criminal fines.
…patient should be well-informed and completely accepting of the means with which you communicate.
Your Responsibility as a Healthcare Provider
There is no question that the governing authorities and HIPAA encourage healthcare providers to be very cautious when utilizing email in their practices. There is also no question that the law is clear about astronomical fines and penalties that could befall you and your practice should you be found guilty of breaching the privacy of your patients. However, that is where the transparency ends. Unfortunately, lawmakers were quite vague concerning the execution of guidelines within the law, meaning it is up to you – the healthcare provider – to interpret and apply the regulations to your practice.
Using Best Practices to Further Prevent HIPAA Violations
In addition to implementing the appropriate security protocols, there are additional ways you can help prevent electronic HIPAA violations within your practice. For example, put a system in place that requires patients to confirm their email address before using it to transmit protected information. Also, avoid including information within an email that directly identifies the patient. This includes the patient’s name, street address, social security number, birthday, picture, health insurance information and account numbers.
It is also important that patients feel they have access to the same information through alternative means of communication as they would have via email. Despite taking steps to secure your email transmissions, some patients will not feel comfortable with electronic data transfer. Ultimately, the patient should be well-informed and completely accept the means with which you communicate.
Finally, only work with an email provider who understands the complex requirements for ePHI protections under the HITECH Act and Final Omnibus Rule. Your email provider will be your greatest partner in ensuring your legal compliance and protecting your practice against civil and criminal penalties.