Email is a valuable and convenient means of communication. Can healthcare companies employ email to deliver the electronic protected health information of patients? Do they violate the HIPAA Rules when they do this?
There’s no rule in HIPAA which states that PHI cannot be electronically transmitted. HIPAA-covered entities may use email or any electronic communication to send ePHI provided that appropriate safeguards are applied to ensure the confidentiality, integrity, and availability of PHI.
Below are important points to keep in mind when using email to send ePHI.
Although no HIPAA rule is violated when emailing patient names, it is necessary to remember not to use the name of the patient and other PHI on the email’s subject line. Putting sensitive information in the subject line could allow unauthorized individuals to view the information. The message may be encrypted in transit, but other information such as the To and From fields and the subject line are usually not encrypted.
Whenever emailing PHI, make sure the email is sent to the correct person. Many privacy breaches have occurred as a result of emails sent to the wrong people.
HIPAA does not require encryption, but the decision to encrypt or use other controls should be determined through risk analyses and risk management processes. If encryption is not used, an alternative control must be used that provides an equivalent level of protection. When sending internal messages, there’s no need to use encryption as the messages will be protected by the firm’s firewall. Nonetheless, there should be access controls in place to make sure messages can only be opened only by authorized persons.
Whenever emailing PHI beyond the firewall, there is a high risk that unauthorized persons could intercept and see the messages so encryption is strongly recommended.
Don’t forget to get patients’ written consent before sensitive information is sent via email. Patients need to be informed of the risks of receiving PHI via unencrypted email.
Rather than use encryption for email, you can consider implementing policies that require PHI only to be sent through HIPAA-compliant data sharing services such as Box, Google Drive and Dropbox.