EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > The Technical Zone...
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

The Technical Zone... The Geeky forum... Use this forum to discuss technical aspects of email, from authentication protocols to encryption.

View Poll Results: Surprised?
Yes 1 25.00%
No 3 75.00%
Multiple Choice Poll. Voters: 4. You may not vote on this poll

Reply
 
Thread Tools
Old 6 May 2019, 05:57 AM   #1
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,422
Cool Regular email is NOT prohibited by HIPAA healthcare regulation.

I'm writing to spread awareness that HIPAA - regulated entities ARE allowed to send PHI via regular mail:
https://www.hhs.gov/hipaa/for-profes...x.html*states:
"...*the Privacy Rule does not prohibit the use of unencrypted e-mail ...**Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b).*"

So regular email is generally appropriate if a patient requests it or if, because of safeguards that have been applied, such as the ones that this thread shows have been applied, normal email between identified parties is encrypted already.

Some of those HIPAA-compliant systems are much worse than others, so this can be valuable info.

(This is a repost from my last post to this fastmail thread I started: http://www.emaildiscussions.com/show...044#post610044)

It's worth reading the whole FAQ entry I linked to.

elvey is offline   Reply With Quote

Old 6 May 2019, 09:14 AM   #2
kangas
Member
 
Join Date: Feb 2004
Posts: 81

Representative of:
LuxSci.com
Yes. This is absolutely true and is referred to as "Mutual Consent". As you note, there are some strict guidelines around when you can send ePHI over unsecured channels (like email or SMS):

* You have to properly communicate the risks to the patient.
* There needs to be a secure alternative that the patient can choose (i.e., because it is not expensive or difficult to provide a secure alternative, there is arguable a very strong requirement to do so).
* The patient needs to agree in writing that she/he accepts the risk and that unsecured communication is Ok
* You need to record (the above) so that you have it on hand in case of an audit or breach.

For more details, see:

https://luxsci.com/blog/can-i-really...der-hipaa.html
kangas is offline   Reply With Quote
Old 8 May 2019, 03:21 AM   #3
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,422
Quote:
Originally Posted by kangas View Post
Yes. This is absolutely true and is referred to as "Mutual Consent". As you note, there are some strict guidelines around when you can send ePHI over unsecured channels (like email or SMS):

* You have to properly communicate the risks to the patient.
* There needs to be a secure alternative that the patient can choose (i.e., because it is not expensive or difficult to provide a secure alternative, there is arguable a very strong requirement to do so).
* The patient needs to agree in writing that she/he accepts the risk and that unsecured communication is Ok
* You need to record (the above) so that you have it on hand in case of an audit or breach.

For more details, see:

https://luxsci.com/blog/can-i-really...der-hipaa.html
Good blog page! Kudos for the mention of forced TLS! I note that your blog page claims the existence of a:
Quote:
requirement for a systematic, documented procedure for warning the individual, having a waiver signed, and documenting this process
Based on the HHS page that I cited, these claims are overstated. I would strongly recommend compliance with what you represent as requirements, but the HHS is obviously a more authoritative source than you or your employers marketing material, and is repeatedly uses the word SHOULD on the page I cited. On the other hand, 45 C.F.R. § 164 (plus the preamble to the HIPAA Omnibus Final Rule and official responses to comments) are higher authorities than both, and I have not done a comparison/examined these higher authorities.

And on the first hand, what motivated me to start this thread was providers insisting that even when a patient requested a particular kind of communication even if ePHI was included (say, regular email or iMessage, or SMS, that the provider used for communication of info w/o sensitive ePHI), the web-based secure email system was the only communication option.

PS: Typo on blog: "Then message"
elvey is offline   Reply With Quote
Old 8 May 2019, 03:35 AM   #4
kangas
Member
 
Join Date: Feb 2004
Posts: 81

Representative of:
LuxSci.com
Thanks!

Of course you are right. HHS says "SHOULD" and not "MUST". However, as with most everything its all gray and ambiguous. I.e., if you decide to not do a "SHOULD," you can. But you must justify that decision and it must be reasonable in the context. If there is an easy way to meet the "SHOULD" ... it is harder to legitimately justify not doing it. Hence, our advise is always to error on the side of what is requested and makes sense as much as possible, especially when there is a low barrier to doing so.

All that said ... it is absolutely true that a narrow-minded focus on using 1 system for everything is not a requirement of HIPAA, thought it could be a legitimate business choice for a company wanting to reduce risk.

I do not think HIPAA requires an organization to grant Mutual Consent requests for insecure data delivery, especially if you have a secure system in place that is compatible with the requestor (i.e., the request may no longer be considered "reasonable"). But again .. this is swimming in a sea of "gray water on a cloudy day."

Good topic -- I am glad you are bringing awareness to more people.
kangas is offline   Reply With Quote
Old 19 May 2019, 03:21 AM   #5
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,422
I get you. Appreciate the clarification.

From memory: I have used under ten of these HIPAA security email systems and I think a couple of them were incompatible with my system. And a couple were so bad/hard to use that it took a long time, even for this techie 👨*💻 to realize that they were at some level “compatible”.
elvey is offline   Reply With Quote
Old 19 May 2019, 03:22 AM   #6
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,422
LOL! It’s funny how the forum software converted the emoji I used into two emoji separated by an Asterix.
elvey is offline   Reply With Quote
Old 20 May 2019, 09:09 PM   #7
SideshowBob
Member
 
Join Date: Jan 2017
Posts: 79
Quote:
Originally Posted by elvey View Post
LOL! It’s funny how the forum software converted the emoji I used into two emoji separated by an Asterix.
That's because in unicode some emojis don't have their own code points and are two emojis separated by a zero-width joiner.
SideshowBob is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 01:14 AM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy