Last week, we introduced a new series to this blog that will cover frequently asked questions regarding the Health Insurance Portability and Accountability Act (HIPAA). This week, the series continues by delving into a hot topic that arises frequently: whether it is permissible for Covered Entities and Business Associates to communicate via e-mail with the subjects of PHI. Many entities ask this question in the context of sending appointment notifications, facilitating follow-up care, and/or discussing treatment itself. Does HIPAA permit these types of communications to occur electronically?
Provided that the Covered Entity or Business Associate has: 1) ensured that the substance, recipient(s), and purpose of the disclosure are permitted by law; 2) instituted proper security mechanisms; 3) confirmed contractual obligations and patient requests; and 4) taken steps to mitigate risk, then disclosures generally may be made via e-mail. First, no disclosure can be made via e-mail that is not otherwise a permissible disclosure under HIPAA. HIPAA dictates the purposes for which PHI may be disclosed as well as acceptable recipients and content. It is important to remember that these requirements apply regardless of the medium of disclosure.
Second, both Covered Entities and Business Associates must fully comply with the HIPAA Security Rule, which means they must institute specific physical, technical, and administrative safeguards to ensure the security of their electronic systems. That includes protecting the security of electronic PHI both at rest and in transit, either via encryption or via alternative measures that are both appropriate and effective. The HIPAA Security Rule, along with each entity’s security policies, must be complied with when sending e-mails containing PHI to patients or enrollees.
Third, Business Associates have contractual HIPAA obligations via their Business Associate Agreements (BAAs) in addition to legal obligations via HIPAA directly. Sometimes BAAs impose more stringent obligations on Business Associates than are required by HIPAA; for example, some BAAs require Business Associates to encrypt all PHI in transit. Therefore, before sending PHI via e-mail, Business Associates should confirm that they are not contractually obligated to refrain from engaging in such communications. Additionally, entities should understand that individuals have the right under HIPAA to request confidential communications of their own PHI. If an individual specifically requests not to receive e-mail communications from his or her provider or plan, that request should generally be honored. Further, if appropriate, the provider or plan should ensure that its Business Associates are aware of and abide by such request.
Fourth, in the event that a disclosure is otherwise permitted by HIPAA and contract and the e-mailing entity is fully compliant with the HIPAA Security Rule, entities are encouraged to mitigate potential risks of utilizing the electronic medium. For example, Covered Entities and Business Associates should confirm that they have the accurate e-mail address before sending PHI to that location, such as by sending a test e-mail first. Additionally, entities should limit the amount and type of PHI included in each e-mail to mitigate potential risks of interception. Such risk mitigation efforts are vital because communicating PHI electronically incurs risk of interception, which would likely constitute a security breach.