EmailDiscussions.com

EmailDiscussions.com (http://www.emaildiscussions.com/index.php)
-   The Technical Zone... (http://www.emaildiscussions.com/forumdisplay.php?f=15)
-   -   Regular email is NOT prohibited by HIPAA healthcare regulation. (http://www.emaildiscussions.com/showthread.php?t=74378)

elvey 6 May 2019 05:57 AM

Regular email is NOT prohibited by HIPAA healthcare regulation.
 
I'm writing to spread awareness that HIPAA - regulated entities ARE allowed to send PHI via regular mail:
https://www.hhs.gov/hipaa/for-profes...x.html*states:
"...*the Privacy Rule does not prohibit the use of unencrypted e-mail ...**Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b).*"

So regular email is generally appropriate if a patient requests it or if, because of safeguards that have been applied, such as the ones that this thread shows have been applied, normal email between identified parties is encrypted already.

Some of those HIPAA-compliant systems are much worse than others, so this can be valuable info.

(This is a repost from my last post to this fastmail thread I started: http://www.emaildiscussions.com/show...044#post610044)

It's worth reading the whole FAQ entry I linked to.

:D

kangas 6 May 2019 09:14 AM

Yes. This is absolutely true and is referred to as "Mutual Consent". As you note, there are some strict guidelines around when you can send ePHI over unsecured channels (like email or SMS):

* You have to properly communicate the risks to the patient.
* There needs to be a secure alternative that the patient can choose (i.e., because it is not expensive or difficult to provide a secure alternative, there is arguable a very strong requirement to do so).
* The patient needs to agree in writing that she/he accepts the risk and that unsecured communication is Ok
* You need to record (the above) so that you have it on hand in case of an audit or breach.

For more details, see:

https://luxsci.com/blog/can-i-really...der-hipaa.html

elvey 8 May 2019 03:21 AM

Quote:

Originally Posted by kangas (Post 610051)
Yes. This is absolutely true and is referred to as "Mutual Consent". As you note, there are some strict guidelines around when you can send ePHI over unsecured channels (like email or SMS):

* You have to properly communicate the risks to the patient.
* There needs to be a secure alternative that the patient can choose (i.e., because it is not expensive or difficult to provide a secure alternative, there is arguable a very strong requirement to do so).
* The patient needs to agree in writing that she/he accepts the risk and that unsecured communication is Ok
* You need to record (the above) so that you have it on hand in case of an audit or breach.

For more details, see:

https://luxsci.com/blog/can-i-really...der-hipaa.html

Good blog page! Kudos for the mention of forced TLS! I note that your blog page claims the existence of a:
Quote:

requirement for a systematic, documented procedure for warning the individual, having a waiver signed, and documenting this process
Based on the HHS page that I cited, these claims are overstated. I would strongly recommend compliance with what you represent as requirements, but the HHS is obviously a more authoritative source than you or your employers marketing material, and is repeatedly uses the word SHOULD on the page I cited. On the other hand, 45 C.F.R. § 164 (plus the preamble to the HIPAA Omnibus Final Rule and official responses to comments) are higher authorities than both, and I have not done a comparison/examined these higher authorities.

And on the first hand, what motivated me to start this thread was providers insisting that even when a patient requested a particular kind of communication even if ePHI was included (say, regular email or iMessage, or SMS, that the provider used for communication of info w/o sensitive ePHI), the web-based secure email system was the only communication option.

PS: Typo on blog: "Then message"

kangas 8 May 2019 03:35 AM

Thanks!

Of course you are right. HHS says "SHOULD" and not "MUST". However, as with most everything its all gray and ambiguous. I.e., if you decide to not do a "SHOULD," you can. But you must justify that decision and it must be reasonable in the context. If there is an easy way to meet the "SHOULD" ... it is harder to legitimately justify not doing it. Hence, our advise is always to error on the side of what is requested and makes sense as much as possible, especially when there is a low barrier to doing so.

All that said ... it is absolutely true that a narrow-minded focus on using 1 system for everything is not a requirement of HIPAA, thought it could be a legitimate business choice for a company wanting to reduce risk.

I do not think HIPAA requires an organization to grant Mutual Consent requests for insecure data delivery, especially if you have a secure system in place that is compatible with the requestor (i.e., the request may no longer be considered "reasonable"). But again .. this is swimming in a sea of "gray water on a cloudy day."

Good topic -- I am glad you are bringing awareness to more people.

elvey 19 May 2019 03:21 AM

I get you. Appreciate the clarification.

From memory: I have used under ten of these HIPAA security email systems and I think a couple of them were incompatible with my system. And a couple were so bad/hard to use that it took a long time, even for this techie 👨*💻 to realize that they were at some level “compatible”.

elvey 19 May 2019 03:22 AM

LOL! It’s funny how the forum software converted the emoji I used into two emoji separated by an Asterix.

SideshowBob 20 May 2019 09:09 PM

Quote:

Originally Posted by elvey (Post 610187)
LOL! It’s funny how the forum software converted the emoji I used into two emoji separated by an Asterix.

That's because in unicode some emojis don't have their own code points and are two emojis separated by a zero-width joiner.


All times are GMT +9. The time now is 01:28 PM.


Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy