Editor’s Note: During our recent webinar on “HIPAA and Emerging Technologies,” we received so many compelling questions from our more than 600 registrants that there was not enough time to cover them all. Below we respond to some of the most commonly asked questions that we didn’t get the chance to address during the program. (See the article above for part 1 in our series summarizing the webinar’s content.)

Click here to view the full webinar free on demand—and here to download a free copy of the presentation.

_____________________________________________

Question 1: What should a consent contain that authorizes a covered entity to communicate with a patient over email?

Answer 1: Neither the Health Insurance Portability and Accountability Act nor the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS)—the agency that interprets and enforces HIPAA—requires a patient to provide consent prior to a covered entity communicating with that patient via email. However, HIPAA does require the application of reasonable safeguards when communicating with patients via email to ensure they are aware of the risks involved. Therefore, as a best practice, covered entities should obtain affirmative consent from patients before initiating email communications.

On its HIPAA Frequently Asked Questions (FAQ) page, the OCR says:

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”1

The FAQ provides clear guidance on the specific information that covered entities should include when obtaining patient consent:

  • The risks associated with using unencrypted email. (A third party may be able to access and read the information, since it is transmitted over the Internet.)
  • The risks of having treatment information included in emails. (Someone other than the intended recipient may be able to access the email account and read the message.)
  • The patient’s right to revoke consent.
  • The avoidance of using email to address urgent medical matters.

In the HIPAA FAQ, the OCR also states that if a patient specifically requests that a covered entity communicate with him or her via email, the covered entity should acquiesce:

“…an individual has the right under the Privacy Rule to request and have a covered healthcare provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a healthcare provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.”

In short, the OCR guides covered entities to follow the communication preferences of their patients. If the patient prefers email communication, the provider should accommodate that request, as long as it is reasonable. Conversely, if the patient is not comfortable with unencrypted email, the provider should offer a more secure alternative. As a practice tip, we recommend that very sensitive information, such as Social Security numbers, diagnosis information and substance abuse treatment information, not be communicated over email given the heightened risks associated with inadvertent disclosures of this information.

Question 2: What are the risks of maintaining PHI on servers outside of the United States (offshore)?

Answer 2: While HIPAA itself does not prohibit maintaining protected health information (PHI) outside of the United States, there are state laws or contractual requirements between covered entities and federal or state agencies that may impact a covered entity’s ability to do so.

Section 1902(a)(80) of the Social Security Act prohibits a state from providing any “payments for items or services provided under the State plan or under a waiver to any financial institution or entity located outside of the United States.” The Centers for Medicare and Medicaid Services (CMS), however, has issued guidance in accordance with the Affordable Care Act (ACA) stating that Medicaid agencies are permitted to provide payments to contractors operating offshore for tasks—including administrative functions—that support the administration of the Medicaid program.2

Despite the permissibility of offshoring under federal law, four states’ Medicaid agencies have executive orders and contract requirements in place that prohibit any of their contractors (such as Medicaid managed care plans) from using offshoring services.3 Some states, such as New York, do not prohibit offshoring in law or regulation but have banned it through contract requirements and internal policy. New York, for example, prohibits Medicaid managed care plans from offshoring any administrative or management functions of those plans. Other states, such as New Jersey and Missouri, do permit offshoring but only under limited circumstances.

In addition, CMS requires Medicare Advantage and Part D sponsors that contract with offshore vendors to perform Medicare-related work that uses beneficiary PHI to provide CMS with specific offshore subcontractor information and complete an attestation regarding protection of beneficiary PHI. Medicare Advantage and Part D sponsors must provide that information to CMS within 30 calendar days of signing an offshore contract.4 They also must advise CMS any time there are changes to the functions that the current offshore contractor provides.5

Question 3: Should sanctioned attempts by digital security specialists to break into protected systems and networks be part of HIPAA-compliant risk assessment and risk management programs?

Answer 3: The HIPAA Security Rule does not specifically require covered entities and business associates to hire digital security specialists to test system vulnerabilities through sanctioned attempts to break into protected systems and networks. Instead, within the flexible framework of the Security Rule, a covered entity or business associate must determine whether implementing this security measure is reasonable and appropriate, based on the following factors:

  • The size, complexity and capabilities of the covered entity;
  • The covered entity’s technical infrastructure, hardware and software security capabilities;
  • The costs of security measures; and
  • The probability and criticality of potential risks to electronic PHI.

The best practice is to have a governance structure in place to support a formal process for addressing policy questions, such as the length of time between periodic reviews and thresholds that might trigger re-evaluation.

Question 4: How has the healthcare industry’s growing acceptance of commercial cloud services affected the regulatory standards for determining compliance with the HIPAA Security Rule?

Answer 4: HIPAA’s administrative safeguards include the requirement to reassess security measures in response to environmental and operational changes. One major change is the rising number of cyberattacks waged against healthcare organizations, as illustrated by The World Privacy Forum’s interactive map of reported medical data breaches in the United States. Another is the increased risk that malicious actors targeting smaller covered entities and business associates can gain access to the systems and networks of a broader clinical network.

Concurrent with the rise in cyberattacks is the healthcare industry’s growing acceptance of commercial cloud services. This rising acceptance of cloud services represents another environmental and operational change that warrants examination by covered entities and business associates.

The OCR’s release of guidance on HIPAA and cloud computing demonstrates the recognition of the increasing prominence of cloud services. Among other things, the guidance encourages covered entities and business associates to consult a resource offered by the National Institute of Standards and Technology (NIST)—the NIST Definition of Cloud Computing. The rise in cyberattacks, coupled with the availability of HIPAA-enabled cloud service platforms, may change the calculus for some covered entities in how they assess the factors that go into determining what are reasonable and appropriate measures to implement.

Another point well worth noting: In April 2017, the U.S. Department of Health and Human Services (HHS) announced that it is establishing a cybersecurity “nerve” center that is modeled after the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. The nerve center’s primary purpose will be to assess cyberthreats, such as the WannaCry ransomware attack, and quickly disseminate best practices for countering these measures. The new center is a positive step toward ensuring a greater coordinated response to cyberattacks. As the center becomes firmly established, more changes can be anticipated that will influence the determination of reasonable and appropriate security measures.

1https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/index.html. 2ACA, P.L. No. 111-148, § 6505; although Medicaid agencies cannot pay for healthcare benefits or services to any entity located offshore or provided by offshore providers, payments for administrative functions are permitted. CMS, State Medicaid Directors Letter #10-026, December 2010. 3Department of Health and Human Services. Office of Inspector General, OEI-09-12-00530, Offshore Outsourcing of Administrative Functions by State Medicaid Agencies (2014) (OIG Report), available at http://oig.hhs.gov/oei/reports/oei-09-12-00530.pdf. 4See Nov. 9, 2015, 2016 Readiness Checklist for Medicare Advantage Organizations, Prescription Drug Plans, and Cost Plans, p. 8. 5See HPMS Memo Sept. 20, 2007.