Posted In: Health Care
By Laura F. Fryan on June 18, 2019
The regulations and guidance on sending Protected Health Information (PHI) via mail or electronically can be confusing as to the requirements versus best practices. To make matters worse, a lot of information about this topic is wrong or incorrectly interprets the regulations. So let’s clear this up once and for all (…at least until new guidance or regulations are published!). Read on for the requirements and the best practices for sending a patient’s PHI electronically, and stay tuned for the second part of this article about mailing PHI.
In 2012, Phoenix Cardiac Surgery entered into a settlement with the Department of Health and Human Services Office of Civil Rights (OCR) after an extensive investigation into its practices for handling electronic PHI. You can read about it here, but the main takeaways from this case illustrate the requirements and best practices for handling electronic PHI:
1. Make sure your email system is HIPAA compliant. OCR specifically cited Phoenix Cardiac Surgery for failure to obtain business associate agreements in conjunction with the practice’s use of internet-based public email accounts. Free internet-based email services, such as Gmail and Yahoo, are not automatically compliant with HIPAA and PHI should not be sent through these types of systems. Instead, use a HIPAA compliant email system that uses secure mail servers and allows for encryption when needed. If your practice or providers need to use internet-based public email accounts, at least ensure that you have a business associate agreement in place with the email provider.
2. Let your patient know the risks associated with using an internet-based public email account. Your patient may use their free internet-based email account to receive PHI. Just make sure your patient is aware their system is not secure, and be sure to document their approval before sending any PHI to the patient. The Omnibus Rule in 2013 recognized that most patients would be using internet-based email accounts:
We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.
So email is a perfectly acceptable method for communicating with your patients. However, the best way to communicate with patients is via a secure internet portal that many practices and hospitals utilize today, so consider directing all comminication through a secure portal if available. Also implement a policy that guides your providers on the use of other communication methods with patients, such as text messaging.
PHI can be sent electronically, as long as your practice has the safeguards in place required by HIPAA. Start today by thinking about how the OCR would audit your practice’s methods of sending PHI electronically, and determine if there are any weaknesses in your current procedures. A good offense is the best defense!
Contact the Health Care Practice Group at Brouse McDowell if you have any questions or want to learn more. Click here to read past issues of Compliance Checkup.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2019 Brouse McDowell. All rights reserved.