written in partnership with Jon StojanIs your email a HIPAA Compliant? Or does it need to be a HIPAA complaint for your private practice? You may think the answer is obvious and ofcourse, as a healthcare professional you need to be aware of HIPAA email compliance.
Being a therapist or a healthcare professional, it’s important for you to be a HIPAA Complaint because you’ve been trained in HIPAA and keeping sensitive information safe and sound. You would also know that if you don’t do that and there’s a breach of information, you could be held responsible, and there could be stiff penalties to pay. So, it’s important to be concerned about HIPAA compliance. Now, a major issue you might be facing is about HIPAA-compliant email, and that’s what you’ll learn about in this article.
You’ll get to know what is HIPAA, it’s rules and regulations and how can you make your email HIPAA Complaint. So, let’s get started with it!
What do you need to know about HIPAA?
Whether you work as a therapist or in any other healthcare setting, you not only need to familiarize yourself with the word HIPAA but also need to practice it all the time. That’s because if you fail to practice it, there could be a lawsuit waiting for you to happen.
What is HIPAA?
HIPAA is the abbreviation for the Health Insurance Portability and Accountability Act. It was passed by Congress in 1996, and it’s a federal law. This is a privacy law that has certain National Standards to protect sensitive patient health information from being disclosed without the patient’s consent.
First of all, you need to understand two important terms in HIPAA.
- HIPAA protects the patient’s private or health information, and we call that information Protected Health Information (PHI)
- The healthcare information or entity that are subject to protect PHI are called Covered Entities. These entities could be healthcare providers like therapists, pharmacists or other healthcare providers.
So, basically, HIPAA is the covered entity that abides by HIPAA privacy rules in the use and disclosure of the patient’s protected health information. Privacy rules also contain standards for patient’s right to understand and control how their health information is used. A major goal of this rule is to make sure that an individual’s health information is properly protected while allowing the flow of information whenever it’s needed.
Why is HIPAA Compliance important?
As a healthcare professional, you need to understand the right flow of information otherwise you could be in a trouble.
For example, let’s say a patient had an appointment with a primary care Doctor and recently went to a Dentist. Now, if for some reason the Dentist calls that primary care Doctorto ask what medication patient is on, then it is within the HIPAA to share that information with the dental office. In this way the Dentist can provide good health to the patient considering their previous treatment with the Doctor.
So, basically, you can share PHI with only those entities who are directly involved in the patient’s care. But, things start to get very tricky and confusing when one of the patient’s family members or spouse or a friend calls and introduces themselves as a family member, and they actually want to know the patient’s PHI. So, what do you do as a healthcare provider in this case? Will you share this with the patient’s information? Absolutely not, and the reason is that the person who identifies themselves on call is a family member or friend, but you can’t really verify that. What if it’s somebody else then you are in trouble, and we don’t want that to happen.
Now, what you can do in this case is that you send printed copy of PHI to the address of the patient and verify the address with the person who called for the patient’s PHI.
There are situations where the law permits but does not require you as a covered entity to use and disclose the PHI without an individual’s authorization.
- You can disclose the PHI to the patient like if they need information for record keeping maybe for tax filing purposeor whatever other reasons. So, in this case you can disclose the PHI to the patient if requested but you must only disclose the information to the patient not to the friend or any family member.
- You can also disclose information to anyone involved in the treatment, payment, and healthcare operations.
- You can also provide limited data sets for research purposes, public health, or any other healthcare operation.
- The rules permit the use and disclosure of PHI without patient’s authorization when it’s required by law. For example, if the individual commits a felony and a sheriff comes up to you and they show an official note that grants them permission to look at the PHI then with that official note you can share the PHI with them without patient’s consent.
So you can share PHI when required by law or when it’s in public interest such as for essential Government functions, you can also share it for workers compensation purpose but that’s really under certain conditions. Now, the question is what information is protected? So let’s get straight into it.
What information is protected?
It’s important to know what information is protected or what is PHI. Any individually identified health information is going to be considered protected information. This information could be the patient’s health conditions, patient’s allergies, or medication list. It also includes demographic data that are related to the patient’s past, present, or future physical or mental condition. It includes any healthcare provisions for the individual in the past or present. Additionally, any payment that patients have paid for any treatment they’ve been provided and any information that can be used to identify individuals, for example, the patient’s name, date of birth, and the patient’s social security number.
Prior to HIPAA, there were fewer controls to safeguard PHI, which was often used to get stolen, and people would commit identity theft and insurance fraud. That scenario affected patients financially in terms of personal loss, increased insurance premiums, and higher taxes. In the 1980s and early 1990s, healthcare spending per capita increased by more than 10% per year, which is quite a lot. Now, partially due to controls implemented to comply with HIPAA, the increase in healthcare spending per capita is less than 5% per year, which is literally half of how it was back in 1990.
So, indirectly we can say that HIPAA has really had a great impact on controlling the financial stability for patients.
What if HIPAA is breached?
Since healthcare professionals sometimes get very busy with their work, and there comes a time when a patient’s protected information is accidentally disclosed. For example, let’s say a therapist just accidentally placed the wrong patient’s prescriptions in their hand. In such a scenario, according to the breach notification rule, it is a legal requirement for health providers to notify patients and let them know that their secure PHI was released or potentially accessed without their authorization. Healthcare providers need to provide details of what PHI is involved and what measures the patients should take to prevent any harm. Let’s say that if credit card information was released, then canceling the credit card might be a solution for the patient. So, by providing such information and measures, patients protect themselves from becoming victims of theft and fraud.
Now, unless the patient has suffered any physcial or financial harm due to unauthorized disclosure of PHI, the patient will not be able to bring any civil action against the negligence party. However, the covered entity and business associate who violate HIPAA have the criminal panalties imposed upon them by the department of justice and that could result in up to 10 years of imprisonment.
Healthcare providers are now required by law to give patients a notice of their privacy policy. It is necessary to explain HIPAA to the patients because you’re asking them to sign a copy so you have to kind of explain to them that what HIPAA is and what you’re making them sign. You can either give them an electronic copy of the HIPAA to sign, or you can make a printed record of it!
We’ve learned about the basics of HIPAA and it’s privacy policy, now is the time to know about HIPAA complaint email.
HIPAA Compliance for Email
No doubt, email is an easy way to communicate but it’s not necessarily the safest way to transfer information. Therefore it’s essential for healthcare providers to have a HIPAA complaint email. Having HIPAA complaint email benefits healthcare providers in numerous ways. It helps them to communicate PHI in emails with patients, colleagues and third parties without violating the rules of HIPAA.
Now, let’s have a look at the requirements for HIPAA emails that would help you understand how to make your email HIPAA compliant.
How to make your email HIPAA-compliant?
After understanding HIPAA, it’s important to cover how to make your email HIPAA-compliant because email has become a common way for healthcare providers and patients to communicate. There are several requirements you need to fulfil for the purpose of transmitting the information safely. These requirements include:
● Business Associate Agreement
A business associate agreement is an agreement between a covered entity and a business that provides services. In this case, it includes businesses that provide email services. Now, let’s say a business associate provides services that involve a patient’s personal information, and then it is important for them to have a business associate agreement. This agreement is a legal document, and it ensures that the parties agree to all the rules and regulations of HIPAA.
● End-to-end Encryption
For making your email HIPAA complaint it is important to have end-to-end encryption. It means only the authorized person have access to that information. Email encryption works by encoding the information and then showing the delivered message when it reaches the authorized person.
Many HIPAA covered entities that do not have their own IT experts to ensure that their email is HIPAA compliant use third party HIPAA complaint email service providers.
● Ensure all emails are backed up.
According to HIPAA privacy policies, the retention period for security-related emails should be kept for a period of 6 years. Therefore, covered entities are required to ensure that all the emails are backed up and stored. You can also use an encrypted email archiving service since it’s a quick and easy method, and it will also keep a free storage space.
● Consent from the patient before sharing PHI via Email
Before sharing patients’ PHI with them, healthcare providers are required to obtain consent from patients to use email as a communication method. Patients must be informed that the information shared via email is at risk. If they accept and their consent is documented, you’re allowed to share PHI without violating HIPAA rules.
In conclusion, it’s super important for healthcare providers to follow HIPAA rules when emailing to keep patients’ info safe. Knowing these rules helps avoid legal trouble and keeps patient privacy intact. This guide stresses the importance of protecting patient info (PHI) and talks about what happens if HIPAA rules are broken. It also gives tips like signing agreements with other businesses, using encryption, backing up emails, and getting patient permission. Following these steps keeps communication safe and meets HIPAA standards, keeping patient info private and earning their trust.
Advertising disclosure: We may receive compensation for some of the links in our stories. Thank you for supporting LA Weekly and our advertisers.