Regular email is NOT prohibited by HIPAA healthcare regulation.

elvey · 6 May 2019, 05:57 AM

I'm writing to spread awareness that HIPAA - regulated entities ARE allowed to send PHI via regular mail:
https://www.hhs.gov/hipaa/for-profes...x.html*states:
"...*the Privacy Rule does not prohibit the use of unencrypted e-mail ...**Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b).*"

So regular email is generally appropriate if a patient requests it or if, because of safeguards that have been applied, such as the ones that this thread shows have been applied, normal email between identified parties is encrypted already.

Some of those HIPAA-compliant systems are much worse than others, so this can be valuable info.

(This is a repost from my last post to this fastmail thread I started: http://www.emaildiscussions.com/show...044#post610044)

It's worth reading the whole FAQ entry I linked to.

kangas · 6 May 2019, 09:14 AM

Yes. This is absolutely true and is referred to as "Mutual Consent". As you note, there are some strict guidelines around when you can send ePHI over unsecured channels (like email or SMS):

* You have to properly communicate the risks to the patient.
* There needs to be a secure alternative that the patient can choose (i.e., because it is not expensive or difficult to provide a secure alternative, there is arguable a very strong requirement to do so).
* The patient needs to agree in writing that she/he accepts the risk and that unsecured communication is Ok
* You need to record (the above) so that you have it on hand in case of an audit or breach.

For more details, see:

https://luxsci.com/blog/can-i-really...der-hipaa.html

elvey · 8 May 2019, 03:21 AM

Quote:

Originally Posted by kangas

Yes. This is absolutely true and is referred to as "Mutual Consent". As you note, there are some strict guidelines around when you can send ePHI over unsecured channels (like email or SMS):

* You have to properly communicate the risks to the patient.
* There needs to be a secure alternative that the patient can choose (i.e., because it is not expensive or difficult to provide a secure alternative, there is arguable a very strong requirement to do so).
* The patient needs to agree in writing that she/he accepts the risk and that unsecured communication is Ok
* You need to record (the above) so that you have it on hand in case of an audit or breach.

For more details, see:

https://luxsci.com/blog/can-i-really...der-hipaa.html

Good blog page! Kudos for the mention of forced TLS! I note that your blog page claims the existence of a:

Quote:

requirement for a systematic, documented procedure for warning the individual, having a waiver signed, and documenting this process

Based on the HHS page that I cited, these claims are overstated. I would strongly recommend compliance with what you represent as requirements, but the HHS is obviously a more authoritative source than you or your employers marketing material, and is repeatedly uses the word SHOULD on the page I cited. On the other hand, 45 C.F.R. § 164 (plus the preamble to the HIPAA Omnibus Final Rule and official responses to comments) are higher authorities than both, and I have not done a comparison/examined these higher authorities.

And on the first hand, what motivated me to start this thread was providers insisting that even when a patient requested a particular kind of communication even if ePHI was included (say, regular email or iMessage, or SMS, that the provider used for communication of info w/o sensitive ePHI), the web-based secure email system was the only communication option.

PS: Typo on blog: "Then message"

kangas · 8 May 2019, 03:35 AM

Thanks!

Of course you are right. HHS says "SHOULD" and not "MUST". However, as with most everything its all gray and ambiguous. I.e., if you decide to not do a "SHOULD," you can. But you must justify that decision and it must be reasonable in the context. If there is an easy way to meet the "SHOULD" ... it is harder to legitimately justify not doing it. Hence, our advise is always to error on the side of what is requested and makes sense as much as possible, especially when there is a low barrier to doing so.

All that said ... it is absolutely true that a narrow-minded focus on using 1 system for everything is not a requirement of HIPAA, thought it could be a legitimate business choice for a company wanting to reduce risk.

I do not think HIPAA requires an organization to grant Mutual Consent requests for insecure data delivery, especially if you have a secure system in place that is compatible with the requestor (i.e., the request may no longer be considered "reasonable"). But again .. this is swimming in a sea of "gray water on a cloudy day."

Good topic -- I am glad you are bringing awareness to more people.

elvey · 19 May 2019, 03:21 AM

I get you. Appreciate the clarification.

From memory: I have used under ten of these HIPAA security email systems and I think a couple of them were incompatible with my system. And a couple were so bad/hard to use that it took a long time, even for this techie 👨*💻 to realize that they were at some level “compatible”.

elvey · 19 May 2019, 03:22 AM

LOL! It’s funny how the forum software converted the emoji I used into two emoji separated by an Asterix.

SideshowBob · 20 May 2019, 09:09 PM

Quote:

Originally Posted by elvey

LOL! It’s funny how the forum software converted the emoji I used into two emoji separated by an Asterix.

That's because in unicode some emojis don't have their own code points and are two emojis separated by a zero-width joiner.

dojyx · 3 Jan 2025, 03:22 PM

FYI

Quote:

Most people think that HIPAA means that their medical records are kept private. But what if I told you that HIPAA doesn?t protect your privacy at all?

This is our first video in a series about medical privacy, specifically looking at legislation that stripped individuals of the right to consent to medical data sharing.

We focus on what HIPAA actually is, how it came to allow our data to be shared without us even knowing, how we?ve been tricked into thinking we have privacy, and steps we can take to reclaim control of our medical data.

You Have No Medical Privacy

View Poll Results: Surprised?
Yes	1	20.00%
No	4	80.00%
Multiple Choice Poll. Voters: 5. You may not vote on this poll

6 May 2019, 05:57 AM	#1
elvey The "e" in e-mail Join Date: Jan 2002 Location: San Francisco Posts: 2,458	Regular email is NOT prohibited by HIPAA healthcare regulation. I'm writing to spread awareness that HIPAA - regulated entities ARE allowed to send PHI via regular mail: https://www.hhs.gov/hipaa/for-profes...x.htmlstates: "...the Privacy Rule does not prohibit the use of unencrypted e-mail ...*Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b)." So regular email is generally appropriate if a patient requests it or if, because of safeguards that have been applied, such as the ones that this thread shows have been applied, normal email between identified parties is encrypted already. Some of those HIPAA-compliant systems are much worse than others, so this can be valuable info. (This is a repost from my last post to this fastmail thread I started: http://www.emaildiscussions.com/show...044#post610044) It's worth reading the whole FAQ entry I linked to.

6 May 2019, 09:14 AM	#2
kangas Member Join Date: Feb 2004 Posts: 81 Representative of: LuxSci.com	Yes. This is absolutely true and is referred to as "Mutual Consent". As you note, there are some strict guidelines around when you can send ePHI over unsecured channels (like email or SMS): * You have to properly communicate the risks to the patient. * There needs to be a secure alternative that the patient can choose (i.e., because it is not expensive or difficult to provide a secure alternative, there is arguable a very strong requirement to do so). * The patient needs to agree in writing that she/he accepts the risk and that unsecured communication is Ok * You need to record (the above) so that you have it on hand in case of an audit or breach. For more details, see: https://luxsci.com/blog/can-i-really...der-hipaa.html

8 May 2019, 03:35 AM	#4
kangas Member Join Date: Feb 2004 Posts: 81 Representative of: LuxSci.com	Thanks! Of course you are right. HHS says "SHOULD" and not "MUST". However, as with most everything its all gray and ambiguous. I.e., if you decide to not do a "SHOULD," you can. But you must justify that decision and it must be reasonable in the context. If there is an easy way to meet the "SHOULD" ... it is harder to legitimately justify not doing it. Hence, our advise is always to error on the side of what is requested and makes sense as much as possible, especially when there is a low barrier to doing so. All that said ... it is absolutely true that a narrow-minded focus on using 1 system for everything is not a requirement of HIPAA, thought it could be a legitimate business choice for a company wanting to reduce risk. I do not think HIPAA requires an organization to grant Mutual Consent requests for insecure data delivery, especially if you have a secure system in place that is compatible with the requestor (i.e., the request may no longer be considered "reasonable"). But again .. this is swimming in a sea of "gray water on a cloudy day." Good topic -- I am glad you are bringing awareness to more people.

19 May 2019, 03:21 AM	#5
elvey The "e" in e-mail Join Date: Jan 2002 Location: San Francisco Posts: 2,458	I get you. Appreciate the clarification. From memory: I have used under ten of these HIPAA security email systems and I think a couple of them were incompatible with my system. And a couple were so bad/hard to use that it took a long time, even for this techie 👨*💻 to realize that they were at some level “compatible”.

19 May 2019, 03:22 AM	#6
elvey The "e" in e-mail Join Date: Jan 2002 Location: San Francisco Posts: 2,458	LOL! It’s funny how the forum software converted the emoji I used into two emoji separated by an Asterix.