Regular email is NOT prohibited by HIPAA healthcare regulation.
I'm writing to spread awareness that HIPAA - regulated entities ARE allowed to send PHI via regular mail:
https://www.hhs.gov/hipaa/for-profes...x.html*states: "...*the Privacy Rule does not prohibit the use of unencrypted e-mail ...**Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b).*" So regular email is generally appropriate if a patient requests it or if, because of safeguards that have been applied, such as the ones that this thread shows have been applied, normal email between identified parties is encrypted already. Some of those HIPAA-compliant systems are much worse than others, so this can be valuable info. (This is a repost from my last post to this fastmail thread I started: http://www.emaildiscussions.com/show...044#post610044) It's worth reading the whole FAQ entry I linked to. :D |
Yes. This is absolutely true and is referred to as "Mutual Consent". As you note, there are some strict guidelines around when you can send ePHI over unsecured channels (like email or SMS):
* You have to properly communicate the risks to the patient. * There needs to be a secure alternative that the patient can choose (i.e., because it is not expensive or difficult to provide a secure alternative, there is arguable a very strong requirement to do so). * The patient needs to agree in writing that she/he accepts the risk and that unsecured communication is Ok * You need to record (the above) so that you have it on hand in case of an audit or breach. For more details, see: https://luxsci.com/blog/can-i-really...der-hipaa.html |
Quote:
Quote:
And on the first hand, what motivated me to start this thread was providers insisting that even when a patient requested a particular kind of communication even if ePHI was included (say, regular email or iMessage, or SMS, that the provider used for communication of info w/o sensitive ePHI), the web-based secure email system was the only communication option. PS: Typo on blog: "Then message" |
Thanks!
Of course you are right. HHS says "SHOULD" and not "MUST". However, as with most everything its all gray and ambiguous. I.e., if you decide to not do a "SHOULD," you can. But you must justify that decision and it must be reasonable in the context. If there is an easy way to meet the "SHOULD" ... it is harder to legitimately justify not doing it. Hence, our advise is always to error on the side of what is requested and makes sense as much as possible, especially when there is a low barrier to doing so. All that said ... it is absolutely true that a narrow-minded focus on using 1 system for everything is not a requirement of HIPAA, thought it could be a legitimate business choice for a company wanting to reduce risk. I do not think HIPAA requires an organization to grant Mutual Consent requests for insecure data delivery, especially if you have a secure system in place that is compatible with the requestor (i.e., the request may no longer be considered "reasonable"). But again .. this is swimming in a sea of "gray water on a cloudy day." Good topic -- I am glad you are bringing awareness to more people. |
I get you. Appreciate the clarification.
From memory: I have used under ten of these HIPAA security email systems and I think a couple of them were incompatible with my system. And a couple were so bad/hard to use that it took a long time, even for this techie 👨*💻 to realize that they were at some level “compatible”. |
LOL! It’s funny how the forum software converted the emoji I used into two emoji separated by an Asterix.
|
Quote:
|
All times are GMT +9. The time now is 02:19 PM. |
Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy