Wondering about HIPAA and Emailing your Patients?
Get some of the basics below
Need more advanced help? Check with the Experts HERE
From HHS.GOV:Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?
Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.
From Bridge Patient Portal:The Encryption Issue: Do I need to send encrypted emails to my patients?
The word “encryption” is used frequently when discussing ePHI. Any covered entity should be communicating ePHI internally using encryption technology, which usually doesn’t present a problem because intra-organizational communication is quite easy to keep secure. However, if you want to use encrypted emails when communicating with a patient, things get a little bit more complicated.
While a covered entity can encrypt its end of the email transport, it’s difficult to ensure the security of the email once it leaves the organization’s server. In order to have completely encrypted email communication, the patient would need to download or install some sort of program to view encrypted emails. The Privacy Rule recognizes this, however, and grants individuals access to ePHI in the format that they wish, i.e. unencrypted email.
The bottom line is that the patient must request to receive unencrypted emails and be made aware of the risk. See section 45 CFR 164.52 for more details on a patient’s right to access PHI.
From Adelia Risk: How does Gmail measure up?
In case you don’t know, Gmail is a service used for email by hundreds of millions of people worldwide. Many small businesses use it for email because it’s inexpensive, convenient, and offers some very nice security features. While most people feel secure sending and receiving personal and confidential information via their Gmail accounts, let’s see how Gmail does against our three criteria:
- Strong Security: Google arguably has some of the best security available in a hosted web service. Companies that take advantage of Google’s free two factor authentication have strong assurance that their email accounts aren’t hacked, plus Google offers some nice user logging and other security features that are much stronger than many competitors. Also, third party services (reviewed in another article) are available to add secure email and outbound email scanning which really make Gmail’s security top notch.
- Consent: Since this is something that you’ll need to manage in your own office, this has no bearing on which email provider you choose.
- Business Associate Agreement: As of September 2013, Google has stepped up and will agree to sign a Business Associates Agreement stating that they will “implement physical, technical and administrative safeguards” to hold the information secure. The company states publicly that Gmail is already HIPAA compliant in its security and privacy practices.
So is Gmail HIPAA Compliant?
As of September 2013, the answer is that, yes, Gmail can be used as part of a HIPAA-compliant organization!
However, only the paid version provides the features you need.