Editor’s Note: Erik Kangas is the Presdient and CEO of LuxSci, a SaaS company specializing in security, privacy, HIPAA compliance, and all things email. He also consults on email best practices, secure web site architectures, and HIPAA compliance to organizations around the globe.
The way personal health information has been gathered, stored, and protected over the years has seen a great number of changes. Up until 1996, when Congress first passed the Health Insurance Portability and Accountability Act (HIPAA), state and federal laws were responsible for protecting data about the health of U.S. citizens. Though this process worked to a certain extent, it meant that officials could access patient information without their consent, and without reasons applicable to their health insurance or medical care. The driving force behind the introduction of HIPAA was a country-wide desire to make health insurance accessible to the masses, while regulating the federal protection of personal health information.
All healthcare practices today are required to consider HIPAA when securing or discussing “Protected Health Information” by establishing safeguard solutions to protect patient privacy, and restricting access to information — unless the patient in question provides permission for their data to be shared.
How and Why Should You Get Consent?
HIPAA regulation helps give consumers more control over how healthcare providers, health insurance companies, and other entities can disclose and use their information. This is particularly pertinent to professionals involved with healthcare research who need access to this kind of personal information. HIPAA creates boundaries for those researchers, and others seeking healthcare-related information, to ensure that a patient’s identity and private information remain hidden.
Consent forms offer a solution for businesses to ensure they are abiding by the rules of HIPAA. By issuing a consent form to your patients, you give them the authority to evaluate the ways you might use or communicate about their protected information, and decide whether or not to authorize these methods. Once this form is complete and it comes time to share your patient’s information with them or others, there is no “gray area” in terms of what you can and cannot do.
Do You Need Consent for Email Correspondence?
Consent forms can be particularly useful to companies that utilize email in communicating with patients and other professionals. The technological age we live in today has brought with it a shift in the way that we share and use documents. Although the HIPAA privacy rule gives covered healthcare provider’s permission to electronically communicate with patients, it does require them to use “reasonable safeguards” in the process. After all, email addresses can be accidentally miss-typed, meaning that the wrong person could receive private information, or unauthorized personnel could gain access to drafts or archives.
The best way for entities to ensure that they follow the rules of HIPPAA in restricting access to data – guarding the integrity of information and maintaining transmission security – is to obtain and maintain consent for email correspondence with their patients. By obtaining written consent, you have ensured that your patients are aware of the potential vulnerabilities of sending sensitive information via email, and you have provided them with suggestions for keeping their information more secure. The consent form you use should underline the devices, email addresses, and forms used in sending PHI, as well as any information both patients and employees should avoid sending through email. The end of the email may also include a privacy statement reminding your patients who is allowed to be contacted in this way, and how they can contact your company if they are uncomfortable about their security.
How Can You Maintain HIPAA Consent While Using Email?
First and foremost, in order to maintain a HIPAA compliant email, it’s important for practices to only engage with providers who have, or are willing to sign a business associate agreement. According to HIPAA guidelines, business associate agreements are necessary for protecting your practice, so as a rule of thumb, you should avoid any provider who refuses to sign one.
Keeping information secure is a complicated task. It requires practices to pay careful attention to how their patient’s information is stored and shared. To alleviate some of the anxiety that often accompanies this tedious task, it’s wise to use a secure and encrypted email service. An encrypted email jumbles up the contents of your message until it reaches your patient. Upon receipt, your patient can use a unique code to access the content — ensuring the privacy of their information even if it’s accidentally found in the wrong hands. Help your patients feel confident about the privacy of their personal health information by ensuring your practices are following the rules of HIPAA.
How are you defending your practice against the legal backlash that comes with accusations of security violations? Do your email practices and storage solutions fully consider the rules of HIPAA?