Throwback trends are popular, especially on social media sites. By now most of us are familiar with Throwback Thursday trends and many of us have experience using the hashtag (#) TBT. In recognizing this popular trend, we thought it would be fun to "throwback" to an article series we published over one year ago. Except, instead of just simply doing a throwback series, this series will add some lessons we have learned during the past several months we would like to share with you. In hashtag terms we will refer to these "lessons learned" as #LessonsLearned.
Many administrators have asked us about electronic communications, more specifically about third party email providers such as Gmail, Yahoo! Mail, Hotmail, and others.
For example, a practice manager asked us: What does HIPAA say with about practices that use services like Gmail, Yahoo Mail, and Hotmail as their email provider with regard to PHI being transferred via email? Even if the client gives authorized consent or if it is for TPO purposes, what about PHI that could potentially be sitting on Gmail's servers indefinitely? What is required if an email is sent to the wrong recipient?
Encrypted and Unencrypted Electronic Communications
The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail with their patients, provided they apply reasonable safeguards when doing so.
Encrypted email is considered safe and provides adequate protection of health information being sent and received electronically. Encrypted email has several benefits such as hiding the content from an eavesdropper, the use of a digital signature mechanism and the use of a secret private key to decrypt messages. Encryption is preferred when communicating electronically.
Encrypted email is a safe option, but not the only option. Law permits physicians to send PHI through unsecure email. In other words, there is not a law prohibiting the use of unsecure electronic communication.
According to the HIPAA Omnibus Final Rule, covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual's request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.
#LessonsLearned Encrypt mobile devices that communicate electronically
Encryption is preferred when communicating electronically, such as through e-mail, and if you are using mobile devices to communicate electronically, encryption or an equal alternative measure is required. We discussed this in our Mobile Device(s) Policy and Procedures article:
Illiana L. Peters, the senior advisor for HIPAA Compliance and Enforcement at the HHS Office for Civil Rights (OCR) reinforced OCR's position on encryption. She said organizations are required to address encryption especially with mobile devices and in the event of a breach an organization would have a difficult time to prove an alternative measure that meets the NIST encryption standard was in place.
Third Party Email Providers
If a patient requests for you to send them information to their Gmail, Yahoo! Mail, Hotmail or other third part email account, it is important to inform them there is a potential risk their information could be accessed or viewed by unintended eyes. Let them know it is potentially unsafe. As long as they are notified, it is considered to be HIPAA compliant.
Third party providers like Microsoft (e.g. Office 365) and Google (e.g. Gmail) offer HIPAA compliance solutions ranging from encrypted messages to signing a Business Associate Agreement (BAA) if you intend on using services, such as apps, in connection with protected health information. These business associates are required to sign an agreement that states they will protect a patient's confidential information.
As of September 2013 the three apps Google's BAA agreement covers are Gmail, Calendar and Drive, in addition to Google Apps Vault, the service responsible for archiving user data from the three apps.
An administrator can electronically sign a BAA once they answer three questions from the Google APPs website:
- Are you a Covered Entity, or Business Associate of a Covered Entity, under HIPAA?
- Will you be using Google Apps in connection with PHI?
- Are you authorized to request and agree to a Business Associate Agreement with Google for your Google Apps domain?
It is important to note the BAA does not cover Google+ and other Google services, or third party Marketplace Apps.
Microsoft Office 365 is a cloud based solution for email, instant messaging, calendaring, and data storage. Microsoft will sign a BAA with a covered entity that used Microsoft Office 365.
Once the agreement is reviewed and the terms are accepted, you can get a signed copy of the Office 365 and CRM Online HIPAA/HITECH Act BAA.
Google Apps (Gmail, Calendar and Drive) and Microsoft Office 365 are two reasonable and affordable HIPAA compliant third party email providers. Customers using the services are responsible for determining if they are subject to HIPAA requirements, and if they intend to use the services in connection with PHI.
#LessonsLearned What about Apple?
Apple has several encryption options including, but not limited to:
- iMessage and FaceTime calls according to Apple, communications are protected by end-to-end encryption across all your devices when you use iMessage and Facetime. Apple also states that they do not scan your communications.
- iCloud according to Apple, all of your iCloud content is encrypted in transit, and in most cases, when stored. If Apple uses third party vendors to store your data, it is encrypted and third party vendors are never given they keys. Apple retains the encryption keys in their own data centers, so you can back up, sync, and share your iCloud data. Notable data that is encrypted in ICloud include: photos, documents in the cloud, calendars, contacts, backup, mail and notes (encrypted in transit).
- Mail all traffic between any email application and iCloud mail servers is encrypted. Additionally, Apple mail servers support encryption in transit with other mail providers that also support it.
Electronic communication disclaimer
HIPAA requires for reasonable steps to be taken to protect against risks of electronic communication such as an email or fax being sent to the wrong person, or being captured electronically in route. It is essential to include a disclaimer notifying the recipient of the insecurity of email or facsimile, and providing a contact the recipient can report a misdirected message to.
Below is an example of an email disclaimer:
The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
In conclusion, encrypted email is safe and provides adequate protection of health information. Encryption is the preferred and recommended option. Covered entities are allowed to send individuals unencrypted email as long as the individual is aware of the risks and they still prefer unencrypted email. There are affordable and reasonable HIPAA compliant options including Microsoft Office 365 and Google Apps. HIPAA does require reasonable steps to be taken to protect against risks involved with electronic communication. A disclaimer (e.g. email disclaimer) is essential, especially when transmitting health information.
A common method for securing messages is through the use of encryption. However, encrypted messages generally only secure the message body while leaving the subject line in plain, easy to read text. Because of this it is best to opt for contents of the subject line to include limited information such as: appointment request, appointment change, etc. Therefore, our recommendation is including patient identification such as patient's name and other indefinable information in the body of message that is encyrpted.
Part two of the article series will address what to do if electronic communications were sent to the wrong recipient, including how to determine whether or not protected health information (PHI) has been compromised, requiring breach notification.
If you have any questions about electronic communication, or need assistance with reasonable steps to protect against risks of electronic communication, please do not hesitate to contact one of our professional consultants.