Tips on Sending ePHI Over Unencrypted Email to Patients while maintaining HIPAA Compliance

December 2017

Communicating via texting and email are important to providers and covered entities because texting and email are important to patients. The expectation of mobile access has become the norm in most aspects of consumer life, and healthcare is no exception. Managing a balance of security and convenience to meet the often urgency of patients’ needs is a challenge for covered entities under HIPAA Privacy and Security Rules.

There is strong evidence that the use of text and email in healthcare delivery has a positive impact on patient outcomes. A systematic review published in 2015 by the Annual Review of Public Health found that almost all text message interventions were effective in improving health outcomes and behaviors among studied participants. Text messages were found to be particularly impactful when addressing chronic conditions, such as smoking cessation, diabetes self-care and weight loss.

It may be daunting or not feasible to encrypt all sensitive data (PII and ePHI) that is transmitted over email or text messages to and from clients and third parties. The extent to which all email communication must be encrypted is a grey area under the HIPAA Privacy Rule.

Encrypting most email, especially between professional organizations, is usually routine using email gateway encryption solutions and secure portals. However, if a patient is in an emergency healthcare scenario and needs insurance information fast, they won’t have time to login to a secure email portal or patient portal on their phone or jump through other hoops. In these urgent scenarios, need for convenience often outweighs the need to secure the information from the patient’s point of view.

When looking closer at the requirements, The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so (See 45 C.F.R. § 164.530(c)). The privacy rule does not prohibit use of encrypted email, but suggests the minimum amount of sensitive information should be sent over unencrypted channels. It is also import to ensure all email is secured according to the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C).

This implies that email messages can be sent insecurely to patients. The best idea to focus on for privacy teams, risk managers and compliance offers is mutual consent. It would be ideal for the patient to approve the insure email in writing before sending as well as advise the individual of the risk. Keeping the approvals on file for a retention period is also important. Documenting as much as possible for these grey areas is key to allow for auditing, regular management review and forensics.

Warning every patient would be the best approach to reduce the risk and is necessary according to the HIPAA Omnibus Final Rule (p70):

“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome on covered entities and believe this is a necessary step in protecting the protected health information […] If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.“

This idea can be used in covered entities to manage exceptions as part of routine business operations and communications. Only trained staff should be providing the warnings. All other Security Rule citations apply as much as possible including retaining all related sent and received consent and unencrypted emails.

It falls on the covered entity to determine if the risks involved, even under mutual consent, warrant the method of communications involved. In a HIPAA audit, the company has to show that everyone’s best interests are in mind and are adequately addressing the risks with the technology at hand.

The gap, confusion and concern regarding this topic has created a market for patient communication solutions that are both secure and convenient. For example, the company Spruce Health created a Digital Care Platform which allows healthcare practices to easily adapt to modern consumer demands. See their white paper “Using SMS and Email under HIPAA” for more example scenarios for text and emails. There are other secure texting and portal solutions on the marketplace, as well.

Be careful, mutual consent is a legal grey area. This blog post is not intended to and does not constitute the provision of legal advice with respect to the matters discussed herein.

How to manage the security and privacy of your healthcare organization comes down to the risk assessment of each organization. Contact BDO Digital today to ask for further guidance on this or other HIPAA compliance topics.