Healthcare alert: Protecting patient privacy in email and complying with HIPAA laws
A patient in distress sends an unencrypted email to her doctor of 15 years using his office email address. The doctor, very familiar with the patient’s history, hits “reply” and asks a few questions. The patient types in answers and clicks “reply.” The doctor carefully reads the patient’s answers, and offers excellent medical advice.
This patient and this doctor have consulted like this several times over the course of their 15-year relationship. And then along came new privacy laws for the healthcare industry (HIPAA laws which cover email).
The vulnerabilities: violation of private protected health information, and embarrassment
By now we all have heard the stories. Unencrypted email is vulnerable to hackers. A person or organization falling within the HIPAA guidelines runs the risk of having unprotected emails that may contain protected health information exposed via hacking.
HIPAA essentially is made up of the Privacy Rule to keep identifiable health information private; the Security Rule, standards for securing electronic transmission of protected health information (PHI); and the Breach Notification Rule, the requirement to provide notification once any PHI breach occurs.
That may lead to having to notify the affected patients, the U.S. Department of Health and Human Services (HHS), and perhaps even the media, according to the AMA.
Sending unencrypted electronic messages containing PHI, therefore, may harm your patient and also your reputation.
The barriers to privacy
- Most people now are comfortable with technology, especially email, making it easier than ever to violate the Health Insurance Portability and Accountability Act, or HIPAA. Patients prefer email to phone calls because they dislike impersonal automated attendants, never mind the human “guardian at the gate” receptionist.
- Increasingly smaller mobile products, usually kept unlocked, make it easier to lose devices – making unencrypted data more vulnerable. Smart phones, tablets, and even laptops that have emails stored, and perhaps other PHI, may become lost. Yet physicians and others now falling within HIPAA guidelines rely on mobile devices for convenience.
- More people are included under new HIPAA guidelines. HIPAA’s Security Rule and Breach Notification Rule requirements were tightened early in 2013 to include business associates, and tightened yet again in September 2013 to include third party vendors.
- Information Week quotes Aaron Titus, chief privacy officer and counsel at Identity Finder, a company that manages sensitive data, as saying: “‘Doctors and end-users will always find a way to do their jobs following the path of least resistance.’” Titus notes, too, that secure communications are always more cumbersome to handle – for doctors, their colleagues, and patients. Doctors prefer not to take the time to use the available encryption software before accessing patient data or hitting “reply.”
Information Week reports, “The solution lies in creating a culture of privacy, and at the core of that culture is education.”
The institutions and practice managers need to be consistent about compliance and the high costs of non-compliance. Patients who continue to access their providers without using the available encryption software should be reminded about the threats to their own, and the institution’s, security.
Ultimately, securely archiving your practice’s emails could save the day for you in the event of a lawsuit. Archiving securely may come in handy simply as a way to retrieve what was said to a patient some months ago.
Intradyn was the first email-archiving solution provider and we remain at the forefront of the archiving marketplace.