View Single Post
Old 8 May 2019, 02:21 AM   #3
The "e" in e-mail
Join Date: Jan 2002
Location: San Francisco
Posts: 2,429
Originally Posted by kangas View Post
Yes. This is absolutely true and is referred to as "Mutual Consent". As you note, there are some strict guidelines around when you can send ePHI over unsecured channels (like email or SMS):

* You have to properly communicate the risks to the patient.
* There needs to be a secure alternative that the patient can choose (i.e., because it is not expensive or difficult to provide a secure alternative, there is arguable a very strong requirement to do so).
* The patient needs to agree in writing that she/he accepts the risk and that unsecured communication is Ok
* You need to record (the above) so that you have it on hand in case of an audit or breach.

For more details, see:
Good blog page! Kudos for the mention of forced TLS! I note that your blog page claims the existence of a:
requirement for a systematic, documented procedure for warning the individual, having a waiver signed, and documenting this process
Based on the HHS page that I cited, these claims are overstated. I would strongly recommend compliance with what you represent as requirements, but the HHS is obviously a more authoritative source than you or your employers marketing material, and is repeatedly uses the word SHOULD on the page I cited. On the other hand, 45 C.F.R. 164 (plus the preamble to the HIPAA Omnibus Final Rule and official responses to comments) are higher authorities than both, and I have not done a comparison/examined these higher authorities.

And on the first hand, what motivated me to start this thread was providers insisting that even when a patient requested a particular kind of communication even if ePHI was included (say, regular email or iMessage, or SMS, that the provider used for communication of info w/o sensitive ePHI), the web-based secure email system was the only communication option.

PS: Typo on blog: "Then message"
elvey is offline   Reply With Quote