A patient sends an email using their Gmail account discussing medical information. As the provider, you have no reason to believe that the email is secure so how do you respond? By taking reasonable safeguards you can transmit ePHI, if necessary, and avoid a potential HIPAA breach situation.
The Department of Health and Human Services (HHS) provides guidance on responding to these types of patient initiated requests. HHS has made clear that the patient must be warned of the risks to PHI and reasonable safeguards need to be taken to avoid unintentional disclosures:
“ [C]overed entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email…We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request.” Source
“[C]ertain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail… Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.” Source
If these protective measures are followed, a covered entity is not responsible if transmitted ePHI is intercepted during transit:
“[C]overed entities are not responsible for a disclosure of PHI while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner (assuming the individual was warned of and accepted the risks associated with the unsecure transmission). This includes breach notification obligations and liability for disclosures that occur in transit. Further, covered entities are not responsible for safeguarding the information once delivered to the individual.” Source
In complying with HIPAA and following HHS guidance, Providers should also follow any state laws concerning the use of encryption technologies. In summary, Providers should at a minimum, take the following safeguards when transmitting ePHI in response to a patient email:
- Warn patient that there is a risk that the information in the email could be read by a third party. Also include an email disclaimer to this effect;
- Verify the sender is in fact the patient before sending PHI;
- Limit the PHI sent to the minimum necessary standard and avoid sending highly sensitive PHI (mental health, HIV/AIDS, genetic testing, substance abuse).
For further information on HIPAA compliance, catch up on some of our recent webinars, HIPAA Security- Monitoring Access, Incident Management and Detection and Is this a HIPAA Breach and if so, what now?