Over the past decade, electronic messaging has become a preferred method for both personal and professional communication. Despite its rapid rise, healthcare providers remain bound by patient privacy laws and restrictions that confine doctor-patient interaction to utilize only secure forms of communication. Any attempt to step outside those boundaries could resort in massive fines and criminal penalties.
If you are a physician or healthcare provider, protecting your practice does not have to mean giving up on email altogether. However, there are some important components of the law you need to know about before taking your communications online.
Sending Electronic Protected Health Information (ePHI) Via Email
In order to clarify any confusion, the U.S. Department of Health and Human Services expressly answered a question that was on everyone’s mind regarding electronic communication of protected health information: Are healthcare providers allowed to send personal health information to a patient or other healthcare provider in an email via the Internet?
According to HHS, the simple answer is yes; PHI may be sent electronically. However, there are restrictions and expectations concerning the actions taken to protect the integrity of that information and safeguard against any unauthorized access to that information. Furthermore, the healthcare provider is responsible for evaluating the security of open network communications and identifying an acceptable solution for safe transmission.
The only time it is acceptable to use non-secured email is at the express request of the patient; specifically, the patient must opt-in (not opt-out) of communications and must also be fully aware of the potential risks and consequences of communicating through a non-secure platform. Not only is this impractical for daily communication needs, but it also requires you to prove that the patient is informed and has consented to these risky online interactions.
“HIPAA Rules Violation Fine Has Been Increased to $1.5 Milltion”
HITECH and the Final Omnibus Rule
In 2009, congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act to increase HIPAA’s security and patient privacy rights. The law was enacted, assuming that the electronic transfer of private health information would increase in the coming years. By 2013, the U.S. Department of Health and Human Services published the Final Omnibus Rule, which included a complete set of rules and regulations designed to employ and uphold the provisions of The HITECH Act.
Under the Final Omnibus Rule, both the healthcare provider and his or her business associates are liable for protecting private health information. At 563 pages, it is hardly a small tweak to pre-existing privacy laws, either. In fact, the Final Omnibus Rule created the most sweeping changes to patient privacy regulations since HIPAA was first enacted in 1996. When it was enacted, HHS Secretary Kathleen Sebelius said, “The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.”
HIPAA rules for patient communications and patient portals
Astronomical Fines, Increased Government Power
Perhaps most notable, the provision in the Final Omnibus Rule substantially raises the maximum fine for non-compliance and expands government jurisdiction to investigate and uphold the law. The Omnibus Rule allows for enormous fines determined upon the level of negligence in breaking the law. For those found guilty of extreme negligence, the fines could soar as high as $1.5 million – up from just $250,000 under the previous HIPAA guidelines. According to Section 160.404 of the HITECH Act, first-time offenders who were unaware of their HIPAA violations typically pay lower penalties, though still as much as $50,000. Those who execute willful negligence or commit repeat offenses could see their fines soar much higher.
Furthermore, greater actions are being taken to identify healthcare providers and their associates who are not utilizing secure ePHI transmission protocols. The Omnibus Rule distributes powers to the HHS to investigate any violation claims and carry out randomized audits and reviews of the email practices among hospitals, physicians, and other medical entities. In fact, it not only allows for random audits – it mandates them.
Anyone who is found guilty of patient privacy negligence under the new HIPAA, HITECH, and Omnibus rules will not only pay fines but may also be prosecuted for criminal behavior. It is possible that in some cases, individuals who failed in their responsibility to protect private patient information could face up to 10 years of imprisonment in addition to civil and criminal fines.
…patient should be well-informed and completely accepting of the means with which you communicate.
Your Responsibility as a Healthcare Provider
There is no question that the governing authorities and HIPAA encourage healthcare providers to be very cautious when utilizing email in their practices. There is also no question that the law is clear about astronomical fines and penalties that could befall you and your practice should you be found guilty of breaching the privacy of your patients. However, that is where the transparency ends. Unfortunately, lawmakers were quite vague concerning the execution of guidelines within the law, meaning it is up to you – the healthcare provider – to interpret and apply the regulations to your practice.
Using Best Practices to Further Prevent HIPAA Violations
In addition to implementing the appropriate security protocols, there are additional ways you can help prevent electronic HIPAA violations within your practice. For example, put a system in place that requires patients to confirm their email addresses before using it to transmit protected information. Also, avoid including information within an email that directly identifies the patient. This includes the patient’s name, street address, social security number, birthday, picture, health insurance information, and account numbers.
It is also important that patients feel they have access to the same information through alternative means of communication as they would have via email. Despite taking steps to secure your email transmissions, some patients will not feel comfortable with electronic data transfer. Ultimately, the patient should be well-informed and completely accept the means with which you communicate.
Finally, only work with a HIPAA email provider who understands the complex requirements for ePHI protections under the HITECH Act and Final Omnibus Rule. Your email provider will be your greatest partner in ensuring your legal compliance and protecting your practice against civil and criminal penalties.
Summary of Best HIPAA Articles
How HIPAA Affects You
- HIPAA was established to protect patient privacy and personal information in the health industry.
- Compliance with HIPAA includes privacy policy and security rules.
- It’s important for medical websites to be HIPAA compliant due to the sensitive information they handle.
- Making a website HIPAA compliant goes beyond basic encryption and requires SSL and high-security data collection forms.
- Website owners are responsible for ensuring their website adheres to HIPAA regulations, whether operating publicly or privately.
- Non-compliance with HIPAA laws can result in hefty fines.
- The article suggests contacting them for help creating an attractive and HIPAA-compliant website.
HIPAA Rules Apply to Both Emails and Online Forms
- HIPAA is a federal act designed to protect patient information
- HIPAA applies to electronic interactions with patients as well as in-person interactions
- Compliance with HIPAA is important for a practice’s reputation and can lead to improved communication and better relationships with patients
- Secure email is a must-have for practices to communicate with patients quickly and efficiently and can save time and money
- Email and online forms can help reduce errors and maintain consistency in a practice
- Offering amenities such as phone communication, access to records and test results, and online paperwork can provide an exceptional patient experience and retain/attract patients
HIPAA’s Main Role is to Protect Patient’s Information
- HIPAA is designed to protect “individually identifiable health information”
- Covered entities, including healthcare providers, medical coders, billers, and insurance providers, must control the use and disclosure of protected health information (PHI) in a way that protects the privacy
- Security standards are in place to cover the electronic side or electronic PHI (ePHI)
- Medical website designs should guarantee inherent protection of the contents within the form by automatically encrypting the information when sent to 3rd parties securely.
- A dedicated server provides the highest level of control and protection for HIPAA-compliant medical websites, while a shared server can open up a doctor to breaches in HIPAA compliance.
HIPAA Legislation is Complex but Important to Understand
- HIPAA legislation is complex, consisting of multiple sections added over time.
- HIPAA email rules require controls and safeguards to protect electronic personal health information (ePHI) during transmission, including encryption and other measures.
- Patients have the right to request alternative communication methods and can file a complaint if they believe HIPAA rules have been violated.
- The HHS Office for Civil Rights can issue financial penalties for HIPAA violations, with fines ranging from $100 to $1.5 million per violation.
- Protected Health Information (PHI) includes 18 personal identifiers, such as patient names, social security numbers, and biometric identifiers.
- Making a medical website HIPAA compliant requires SSL encryption and high-security data collection forms.
- Failure to comply with HIPAA rules can result in financial penalties, so protecting patient privacy is important.
HIPAA Rules Regarding Email Compliance:
- HIPAA is a set of regulations to help people carry their health insurance and protect the privacy of patients’ medical records.
- Healthcare organizations must strictly comply with HIPAA laws and invest time and money in training staff.
- HIPAA-compliant email requires end-to-end encryption, a business associate agreement, proper email configuration, staff training, retention of emails, and patient consent.
- HIPAA-compliant online forms must be used to collect health information and require an assessment of the security controls, encryption algorithms, a business associate agreement, proper access controls, passwords, audit logs, and integrations with HIPAA-compliant platforms.
- Penalties for any HIPAA violations include fines, imprisonment, and additional punishments at the state level, depending on the violation.