HIPAA and Email: A Compliance Nightmare?

This is a post that was originally prepared for and posted on HITECH Answers.  I am regularly contributing articles to HITECH Answers and recommend checking out materials authored by other the contributors to the site.  There is a lot of good material available that is both timely and well thought out.

My post originally from HITECH Answers follows:

In the world of HIPAA, concerns of privacy and security are of paramount importance.  Privacy focuses upon how protected health information (“PHI”) may be used or disclosed.  Security focuses upon protections and safety measures implemented to protect the privacy of PHI.  One of the biggest risks posed to both the privacy and security of PHI is email.  The use of email is common place and widespread in both business and everyday life.  However, consideration must be given to when and/or how PHI may be transmitted via email.

Generally, email transmits information in an electronic and unprotected form.  The sender types a message, enters a recipient’s address, and hits send.  Once the message is sent, it is communicated over the internet in an unencrypted fashion.  If the email were unintentionally sent to the incorrect recipient or intercepted by any other person, the unintended recipient or intervening party would likely be able to read the message.  If that were to occur, it would probably be considered a breach of the HIPAA requirements.

In light of the risk posed by email, a threshold question of whether the PHI even needs to be sent by email should be asked.  If the answer is no, then an entity may avoid the headaches of determining whether its email system complies with HIPAA, though it should still consider security measures for the alternative method used.  For instance, a telephone call may be sufficient in certain circumstances and offers the opportunity to avoid sending PHI by email.  Another question to ask is whether it is even necessary to include PHI in the email.  Can the email be drafted in a way that does not include the hallmarks of what constitutes PHI?  If PHI does need to be included in the email, can the amount be limited.  Always remember that the minimum necessary requirement should guide the extent of disclosure of PHI.

In the event that email will be used, the HIPAA Security Rule sets forth certain technical safeguards to ensure the protection of PHI.  From this perspective, the Security Rule contains the minimum necessary requirements to ensure proper security.  It is important to remember that the Security Rule calls for reasonable protections.  Accordingly, compliance is not a one-size fits all approach.  Instead, each organization needs to consider its own operations and vulnerabilities and then craft its security policies to fit its needs.

The Breach Notification Rule, another part of the HIPAA regulatory scheme, provides a major carrot for encryption because notification in the event of a breach is only specifically required for unsecured PHI.  If electronic PHI is encrypted, then it is considered secured and any unpermitted use or disclosure will not necessarily result in the full scope of the breach notification rule coming into play.

Given the confluence of the Security Rule and Breach Notification Rule, as a first step any email containing PHI should likely be sent in an encrypted manner.  This could mean, among other things, using a service that allows for the transmittal of secured emails or some other ability to encrypt the actual email being sent.

However, the simple message of encrypt your emails is not the end of the story.  Encryption may not always be possible, or arguably even required.  As indicated above, the Security Rule adopts a flexible approach, combining required and addressable components.  Depending upon the size and sophistication of the entity, potentially encryption may not be a viable option.  I would not put much stock in this argument going forward though given the prevalent discussion of this issue and the increasing number of options for “HIPAA compliant” messaging.  An entity may also consider the level of risk involved in sending the PHI to a particular destination.  If a good faith argument can be made that the level of risk is low, then maybe that is a factor in favor of not needing encryption.  One good tip would be to always verify the address of the individual and/or entity where the PHI is being sent.  All of us have been guilty of sending a message to the wrong person at one time or another, but if that mistake can, at all, be limited to instances where PHI is not transmitted, then HIPAA will not need to be considered.

One important exception to security must be brought into focus.  Under HIPAA, individuals are entitled to request how they want to receive their own information.  For example, if an individual requests a copy of their PHI and the PHI is maintained in an electronic form, the copy is also to be provided in electronic form.  Further, when the electronic version is sent, it is to be sent in the manner specifically requested by the individual.  This means that an individual can ask for the PHI to be sent via email in any manner desired by the individual.  For example, if I wanted to receive my PHI from my physician, I could request that the information be sent to my Gmail account.  Generally, Gmail is not encrypted and as such would not be a secure form to receive the information.  However, the physician I contact must follow my instructions.  As such, in this instance, the PHI may be sent in an unsecure manner.

Just because an individual is entitled to request how their PHI is sent to them, it would still be advisable for the entity subject to HIPAA’s requirements to advise the recipient of the dangers and to fully document the individual’s specific request in their records to avoid potential issues down the road.  Remember, the individual may not recall the specifics of their request and it may be easy to point the finger down the road.  Contemporaneous documentation, therefore, can gain a lot of importance.

As this brief discussion demonstrates, nothing is every simple or black and white when it comes to HIPAA.  Do not assume that HIPAA will prevent certain actions.  Consider the request or question, review policies and procedures that are in place, and if necessary go back to the regulations or available guidance.  A detailed understanding of the regulations is necessary for an entity to remain in compliance and keep everyone that it interacts with happy.

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, HIPAA, Regulations and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s