Is your email HIPAA Safe?
Is your email HIPAA Safe?
Electronic Communications: Part 1
Many administrators have asked us about electronic communications, more specifically about third party email providers such as Gmail, Yahoo! Mail, Hotmail, and others. This is part one of a two part article series.
Recently a practice manager asked us: What does HIPAA say with about practices that use services like Gmail, Yahoo Mail, and Hotmail as their email provider with regard to PHI being transferred via email? Even if the client gives authorized consent or if it is for TPO purposes, what about PHI that could potentially be sitting on Gmails servers indefinitely? What is required if an email is sent to the wrong recipient?
Encrypted and Unencrypted Electronic Communications
The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail with their patients, provided they apply reasonable safeguards when doing so.
Encrypted email is considered safe and provides adequate protection of health information being sent and received electronically. Encrypted email has several benefits such as hiding the content from an eavesdropper, the use of a digital signature mechanism and the use of a secret private key to decrypt messages. Encryption is preferred when communicating electronically.
Encrypted email is a safe option, but not the only option. Law permits physicians to send PHI through unsecure email. In other words, there is not a law prohibiting the use of unsecure electronic communication.
According to the HIPAA Omnibus Final Rule, covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individuals request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.
Third Party Email Providers
If a patient requests for you to send them information to their Gmail, Yahoo! Mail, Hotmail or other third part email account, it is important to inform them there is a potential risk their information could be accessed or viewed by unintended eyes. Let them know it is potentially unsafe. As long as they are notified, it is considered to be HIPAA compliant.
Third party providers like Microsoft (e.g. Office 365) and Google (e.g. Gmail) offer HIPAA compliance solutions ranging from encrypted messages to signing a Business Associate Agreement (BAA) if you intend on using services, such as apps, in connection with protected health information. These business associates are required to sign an agreement that states they will protect a patients confidential information.
As of September 2013 the three apps Googles BAA agreement covers are Gmail, Calendar and Drive, in addition to Google Apps Vault, the service responsible for archiving user data from the three apps.
An administrator can electronically sign a BAA once they answer three questions from the Google APPs website:
Are you a Covered Entity, or Business Associate of a Covered Entity, under HIPAA?
- Will you be using Google Apps in connection with PHI?
- Are you authorized to request and agree to a Business Associate Agreement with Google for your Google Apps domain?
It is important to note the BAA does not cover Google+ and other Google services, or third party Marketplace Apps.
Microsoft Office 365 is a cloud based solution for email, instant messaging, calendaring, and data storage. Microsoft will sign a BAA with a covered entity that used Microsoft Office 365.
Once the agreement is reviewed and the terms are accepted, you can get a signed copy of the Office 365 and CRM Online HIPAA/HITECH Act BAA.
Google Apps (Gmail, Calendar and Drive) and Microsoft Office 365 are two reasonable and affordable HIPAA compliant third party email providers. Customers using the services are responsible for determining if they are subject to HIPAA requirements, and if they intend to use the services in connection with PHI.
Electronic communication disclaimer
HIPAA requires for reasonable steps to be taken to protect against risks of electronic communication such as an email or fax being sent to the wrong person, or being captured electronically in route. It is essential to include a disclaimer notifying the recipient of the insecurity of email or facsimile, and providing a contact the recipient can report a misdirected message to.
Below is an example of an email disclaimer:
The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
In conclusion, encrypted email is safe and provides adequate protection of health information. Encryption is the preferred and recommended option. Covered entities are allowed to send individuals unencrypted email as long as the individual is aware of the risks and they still prefer unencrypted email. There are affordable and reasonable HIPAA compliant options including Microsoft Office 365 and Google Apps. HIPAA does require reasonable steps to be taken to protect against risk of electronic communication. A disclaimer (e.g. email disclaimer) is essential, especially when transmitting health information.
Part two of the article series will address what to do if electronic communications were sent to the wrong recipient, including how to determine whether or not protected health information (PHI) has been compromised, requiring breach notification. Part two will be published next week.