Your office is not allowed to share patient information through unsecured methods. Patients can request medical providers to send their information via email or other un-secured methods of communication. Where does that leave your office?
Today most email services encrypt the emails in a say that they are encrypted when transporting the information from point to point.
This means if you send an email to your patient, it is encrypted until it is received by the patient. This begs the question, is sending patient information HIPAA Compliant?
The answer is complicated. The sending process is HIPAA Compliant. Once you have sent the email the sent message is not stored in your “SENT MAIL” folder. Once you receive an email from a patient it is stored in your “INBOX.”
If a hacker is able to break into your email account, they can view all of the emails in your INBOX and SENT MAIL folders. If the hacker views these emails then you have a HIPAA violation.
Therefore we recommend that if you are going to communicate with patients via email, you copy the contents of any and all emails with patients into your EHR system immediately and then immediately delete these from your mail folders.
Things can go wrong when sending emails to patients. Our email programs like to ‘help’ us by guessing who we are sending emails to based upon the first few characters we have typed. It is important that you double check the name of the person in the “To” field and make sure that your email program is not helping you to commit a HIPAA violation.
We can also accidentally attach the wrong document to an email sending one patient information on a different patient.
We must be diligent when sending out emails to make sure we are sending the email to the correct person.
As far as the emails that you send to patients, once it is in the mail system of the patient, it is out of your control, and it is no longer your responsibility. The problem is if the data in the patients email system is seen by an unauthorized person it is hard to prove that it was the patients fault and not your fault. It is a good practice to require that patients sign an Email Consent form prior to sending patient information via email. Some may consider this a bit of overkill, but it goes a long way to protect you.
A patient can request your office to send their medical records through an unsecured channel. If that request is made, your office is permitted to send the records over via the method requested. Under the HIPAA right of access rule, when a patient makes a request for their information we are REQUIRED to provide the information. If they wish the information to be sent by a method that may result in insecure information you need to have them sign a consent form allowing you to send the information in an insecure manner. This includes email even though MOST email systems are encrypted. This is because MOST is not ALL.
It is imperative to include an email consent form as part of your patient intake forms and have existing patients fill out the form on their next visit. The email consent form should detail that email communication is an unsecured method of communication. The patient can sign to indicate that they understand the risks of unencrypted email and authorize your practice to send their patient records via email. Once completed this form should be included as part of the patient’s chart. A patient can update their preferences at any time and these updates should be reflected in the patient’s chart. Maintaining this documentation ensures your staff knows how they can communicate with each patient and avoid a HIPAA incident.
An email consent form is part of the documentation included in the TLD Systems HIPAA Compliance program. You can access this form in your account under Forms. If you have questions about how TLD Systems can help your office with HIPAA compliance, you can contact TLD Systems at (631) 403 6687 or email email@example.com