Email has become one of our primary methods of communication. However, in the healthcare environment, the improper use of email could lead to an inappropriate disclosure of patient information, and a possible HIPAA violation. While the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), the government agency that oversees and enforces HIPAA privacy and security, permits the use of unencrypted email to communicate patient information to provider colleagues or patients, it emphasizes that emails should still be transmitted in a safe and secure manner. The use of encryption for emailing patient information, while not mandated under HIPAA, is an “addressable” requirement under the regulation and must be employed unless other appropriate protections are used.
A Jan. 23 MGMA Stat
poll, which included more than 1,300 respondents, asked the question, “Do you use secure (encrypted) email when sending patient data?” The majority (88%) responded yes, with a further 4% stating that they were “considering it”. Only 6% indicated that they do not use secure email and 2% stated that they were unsure.
For those respondents using secure email, 36% reported using the technology to have their providers communicate with external providers. Another 16% stated that secure email was used for providers to communicate internally, an additional 11% indicated secure email was used for provider to patient communications. “Other” was reported by 37%, where many respondents indicated that secure email was used for any instance whenever patient data was involved.
OCR has made it clear that patients generally have the right to receive emailed copies of their health information if they request that method of delivery. They also have the right to receive a copy of their health information via unencrypted email if they ask for it in that format. In these cases, the practice must provide a warning to its patients that there is a level of risk that patient information could be read or otherwise accessed by a third party while in transit, and confirm that patients still want to receive the record by unencrypted email. MGMA recommends that physician practices ask their patients to sign an acknowledgment of this risk and document that their patients have been informed of the potential risk of disclosure.
In the limited situations in which a practice is unable to email some or all of the information requested by its patients, such as when diagnostic images are too large to send via email, the practice must offer its patients alternative means of receiving their records, such as on portable media that can be mailed to them.
If a practice decides not to employ encryption technology, according to OCR they must apply “reasonable safeguards.” For example, in an FAQ
, the agency states that practices must take certain precautions when using email to avoid unintentional disclosures, including ensuring that the email address is accurate prior to sending, or sending a test email to patients for address confirmation. Further, while OCR stipulates that HIPAA does not prohibit the use of unencrypted email for communications between providers and patients, the agency does state that other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted email.
Should patients initiate communications with the practice using unsecure email, the practice can assume that email communications are acceptable to these patients unless they have explicitly stated otherwise. If the practice believes patients are not aware of the possible risks of using unencrypted email, or have concerns about potential liability, the practice can alert its patients of those risks, and let them decide whether to continue email communications.
Other than those unsecure communications specifically requested by patients, the use of unencrypted email communications, including the use of email to transmit patient information to staff within the practice, requires that the organization assess its use of open networks, identify the available and appropriate means to protect patient information sent electronically, select a solution, and document the decision. Practices are strongly encouraged to discuss secure email options with their technology vendor.
For additional information, access the MGMA HIPAA Privacy and Security Resource Center
and member-benefit resource The Patient Right to their Medical Record: Format, Fees and other Requirements
Learn more about MGMA Stat
Director, Health Information Technology Policy
MGMA Government Affairs