Tips for Sending Protected
Health Information via Email
by Elizabeth E. Hogue, Esq.
The use of email pervades the healthcare world today. Without thinking, many providers send information all day, every day via email messages. Providers must take extra care, however, with the transmission of protected health information (PHI), as defined by the Health Insurance Portability Accountability Act (HIPAA).
First, providers should consider alternatives to the disclosure of PHI in email messages, such as:
It may also be unnecessary to refer to patients at all in email messages. If updated orders are received from a physician, for example, a message could be sent alerting staff to receipt of orders from Dr. X for a male patient.
If it is necessary to refer to individual patients, providers should consider referring to patients by the initials of their first and last names, instead of using their full names.
Providers may also wish to implement encryption or secure email messaging in order to protect PHI in emails. If the recipient cannot support the use of encryption or secure messages, however, this option may not be viable.
If providers elect to use encryption, encryption programs must meet standards published by the National Institute of Standards and Technology (NIST). When providers use programs that meet these standards, they may avoid an obligation to report breaches because they fall within a safe harbor or exception to the obligation to report breaches.
It is important to note that unencrypted emails may always be sent to patients who are the subject of the PHI that is sent. Providers should tell patients that there is some risk of disclosure, but providers are not responsible for unauthorized access if patients still wish to receive information via unencrypted message.
Here are additional potential problem areas that providers may encounter when they are sending PHI via email and how to handle them:
Finally, providers should develop a comprehensive policy and procedure that governs sending PHI via email. Staff members should be thoroughly trained regarding compliance with this policy and procedure.
The stakes are high! The Office of Civil Rights and State Attorneys General, the enforcers of privacy rights, are in enforcement mode! Special care with regard to this area is definitely needed now.
No portion of this material may be reproduced in any form without the advance written permission of the author.