How the HIPAA Comprehensive Final Law Applies to E-mail Contact with Patients

The Comprehensive Final Law was created at the beginning of the year and covered companies – which now contains business partners as well as their subcontractors – now require to update policies and procedures to abide by the new rules if they haven’t already done so. The time limit for conformity with the new law is September 23, 2013, and any covered body found not to have applied the necessary changes after this date might incur a fiscal fine up to $1.5 million.

The latest changes have been condemned by some members of the healthcare community; nevertheless, the modifications are necessary to make better the entitlements of patients to retrieve their medical files. The Omnibus Rule now lets them to have much more independence and make decisions concerning how their medical info is revealed to them.

If a patient is happy getting info through E-mail this has earlier presented a problem for healthcare businesses. E-mails can be interrupted, the emails are frequently stored unsafe servers – where they can stay forever – and there is no assurance that the planned receiver will be the only individual to read the E-mail. Transmitting unencrypted E-mails having PHI would breach HIPAA security rules.

Nevertheless, under the fresh law, patients are capable to be sent unencrypted E-mails having their PHI if they so desire, if that they have been notified of the dangers. If a healthcare provider describes to the patient that E-mail isn’t completely safe and there is a possibility that their data might be seen by other people the patient can be transmitted E-mails. Patients are allowed to take risks with their data. Healthcare businesses aren’t.

If any patient chooses to get unencrypted E-mails it’s highly sensible to have the permission in writing. While this isn’t stated clearly in the law as being compulsory, it would be foolish to transmit any PHI without having documents to verify that the patient has been notified of the dangers. Authorization should be obtained before sending the E-mail. It’s still not allowed to transmit E-mails under an opt-out policy. Patients should opt-in to get electronic messages.

To what level do the dangers must be explained? As per a statement released by the DHSS in 2013, “We don’t expect covered bodies to educate people regarding encryption technology as well as the [sic] info safety. Rather, we just expect the covered body to inform the person that there might be some level of danger that the info in the email might be read by a 3rd party.”

It’s important for healthcare businesses to be acquainted with State rules on E-mail having PHI. HIPAA makes some relaxation for an E-mail message, though some States enforce harsher limits to control the release of patient files. State rules will apply when they enhance the protection provided under HIPAA, with the Omnibus Final Law believed to be a minimum national benchmark only.

It must be kept in mind that irrespective of what a patient demands, electronic communications should not be transmitted unless a commercial agreement with the provider of the service is in place. According to the Omnibus Law, all business partners should agree to abide by HIPAA Privacy and Security Laws and a business agreement should be signed. If there is no recent business agreement, a message having PHI that is transmitted to a patient through Skype, for instance, would be a HIPAA infringement even if the patient knew the dangers and initialed a document to that effect before the message being transmitted.

The new law might not be the easiest to apply and it could have significant cost effects for some healthcare businesses; nevertheless, the legislation is essential to make sure patient data is correctly protected and patients must be permitted to make decisions concerning their data and be provided greater access if needed.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.