Whether or not it is a HIPAA violation to email patients names can depend on who an email is sent by, who it is to, what technologies have been implemented to secure the content of the email and – when communicating with a patient or group plan member – whether they have given their consent to receive PHI by email.
Is it a HIPAA Violation to Email Patient Names?
When contained in the same communication as individually identifiable health information, patient names (first and last name or last name and initial) are identifiers that have the same protection as protected health information (PHI) in the HIPAA Privacy Rule.
HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data.
It is not a HIPAA violation to email patient names per se, although patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected with encryption in transit, message headers – which include the subject line and to and from fields – are often not encrypted and could potentially be intercepted and viewed.
Patients names and other PHI should only be sent to individuals authorized to receive that information, so care must be taken to ensure the email is addressed correctly. Sending an email containing PHI to an incorrect recipient would be an unauthorized disclosure and a violation of HIPAA.
Must all Emails Containing PHI be Encrypted?
HIPAA does not require the use of encryption. Encryption is only an addressable implementation specification. However, if, following a risk assessment, the decision is taken not to use encryption, an alternative and equivalent security measure must be used in its place and the reasoning behind it documented.
In the case of internal emails, it would not be necessary for messages containing ePHI to be encrypted provided the messages are only sent via an internal email system and do not leave the protection of a firewall. Access controls would also need to be in place to prevent messages being opened by individuals not authorized to receive the information. In all circumstances, the PHI contained within the email must be limited to the minimum necessary.
If emails containing PHI are sent outside the protection of an internal network there is considerable potential for PHI to be viewed by unauthorized individuals. This is not a problem when emailing patients, provided consent to use email to send PHI has been obtained from the patient in advance. The patient must have been made aware of the risks of sending PHI via unencrypted email and must have given their consent to use such a potentially unsecure method of communication. Both the warning and the consent should be documented.
Emailing ePHI to all other individuals using unencrypted email is a risky strategy. While HIPAA encryption requirements are somewhat vague, in the event of a HIPAA audit or data breach investigation, it would be hard to argue that ePHI sent via unencrypted mail was reasonably protected, especially when there are many secure methods of data sharing available – Dropbox, Google Drive, Box etc.
Emailing Patient Names FAQs
If a patient consents to receiving unencrypted emails, and then changes their mind, can they withdraw their consent?
If a patient consents to receiving unencrypted emails and then changes their mind, they can withdraw their consent. Under 45 CFR § 164.508 (“Uses and Disclosures for which an Authorization is Required”) a patient can withdraw their consent for any authorized disclosure at any time. The text of the Privacy Rule states the patient must withdraw their consent in writing, and the patient should be made aware of this requirement (i.e., via a Notice of Privacy Practices). A copy of the original authorization form and the notice of withdrawal must be kept for six years from the data consent is withdrawn.
What access controls need to be in place to prevent emails being opened by unauthorized individuals?
The access controls that need to be in place to prevent emails being opened by unauthorized individuals may vary from organization to organization depending on what other mechanisms are in place to protect ePHI. Generally, devices used to access emails must have PIN-locking capabilities (or equivalent – i.e., biometric login) and automatic logoff. Thereafter, authorized individuals should be issued with a unique username and password to access the email account, or an alternate access control such as Single Sign On.
How do you send encrypted emails to a patient?
To send encrypted email to a patient, you need to configure your email service. Most email services can be configured to send encrypted emails (including Outlook, Google, Yahoo, etc.). However, if the recipient of the email does not have the technical ability to decrypt the email or has an email filter configured to reject encrypted emails (because the filter cannot read the content of the email), sending an encrypted email to a patient will be a waste of time because it will either sit unopened in their inbox indefinitely or be returned by the email filter.
Is it safer to send ePHI as an attached password protected document?
It is safer to send ePHI as an attached password protected document, however, it is not 100% secure. If the email is intercepted or the mail server is compromised, simple passwords can be cracked within seconds by brute force algorithms. Furthermore, you will also have to send the password to the recipient of the email using an alternate communication channel for security.
How do you use a service such as Google Drive to email patient names securely?
To use a service such as Google Drive to email patient names securely, there are several steps you need to take. These include signing a Business Associate Agreement with Google and configuring the service to disable third party apps, add-ons, and offline storage. (You will find all the necessary steps in this article). Although it is not necessary for the recipient to have a Google account to open a document in Google Drive, the service is more secure if they have one.
Can HIPAA information be emailed?
The issue of whether HIPAA information can be emailed is complicated. It can depend on what mechanisms are in place to protect the content of the email, who is sending the email, who it is being sent to, the content of the email, and whether the subject of the HIPAA information has provided their written authorization for unsecured PHI to be communicated by email.
What is the most common HIPAA violation email example?
The most common HIPAA violation email example recorded by HHS’ Breach Report is the failure to blind copy recipients when sending bulk healthcare-related email. In such cases, it does not matter what the content of the email is. The fact that each recipient can identify who else has received an email from the healthcare provider – which implies a past, present, or future treatment relationship between healthcare provider and each individual – is an impermissible disclosure of PHI.
What are the HIPAA email rules?
There are no specific HIPAA email rules in the HIPAA Administrative Simplification provisions other than it is permissible to send an electronic copy of a Notice of Privacy Practices to individuals if it is not practical to give individuals a paper copy (i.e., when an individual joins a group health plan). The HIPAA Rules that govern emails are the same as apply to any communication of PHI in the Privacy and Security Rules – and, by association, in the Breach Notification Rule.
Is a first name PHI in the context of HIPAA name rules?
A first name can be PHI in the context of HIPAA name rules if it is maintained or transmitted with individually identifiable health information. With regards to is it a HIPAA violation to email patient names, it is a violation if there are no safeguards in place to limit the risk of a data breach to a reasonable and appropriate level or if the patient has not given their consent to receive emails from the sender after having been warned of the risks.
Why is it necessary to enter into a Business Associate Agreement before sending patient information via email?
It is necessary to enter into a Business Associate Agreement before sending patient information by email because, even if emails are encrypted, email service providers have what is known as “persistent access” to ePHI. Most email service providers are happy to enter into a Business Associate Agreement provided the Covered Entity or Business Associate subscribes to a business plan (i.e., Google Workspace rather than Gmail).
What training should be provided about HIPAA compliance email rules?
The training that should be provided about HIPAA compliance email rules will depend on each entity’s privacy and security policies. However, the basics include explaining what PHI is, permissible uses and disclosures, why it is important not to share unique identifiers (i.e., passwords), and limiting the content of emails to the minimum necessary to achieve the purpose of the email.
Additionally, all members of the workforce are required to participate in HIPAA security awareness training. This training should cover topics such as double-checking who an email is sent to, ensuring individuals have given their consent to receive emails containing ePHI, and raising awareness about phishing and what to do if members of the workforce disclose login credentials.
Is it a HIPAA violation to email medical records?
It is not a HIPAA violation to email medical records provided the communication is permitted by the Privacy Rule, that safeguards are in place to comply with the Security Rule, and – if emailing medical records to a patient – that the patient has consented to receiving ePHI by email. Additionally, the ePHI in the email must be limited to the minimum necessary to achieve the purpose of the email and care must be taken to ensure it is sent to the correct recipient(s).
Is a patient’s name protected under HIPAA?
A patient’s name is protected under HIPAA all the time it is maintained or transmitted with individually identifiable health information in the same designated record set. If maintained in a database that does not contain individually identifiable health information (“health” emphasized for effect), the patient’s name is not protected.
Is disclosing a patient’s name a HIPAA violation?
Disclosing a patient’s name can be a HIPAA violation if the name is disclosed for an impermissible purpose by a member of a Covered Entity’s workforce and the disclosure includes individually identifiable health information or implies a past, present, or future treatment relationship. However, if the disclosure is permitted, if it is made by somebody other than a member of a Covered Entity’s workforce, or if the disclosure does not reveal ePHI (actual or implied) it is not a violation of HIPAA.
Does HIPAA allow email?
HIPAA allows email provided that – if PHI is disclosed in the email – safeguards are deployed to ensure the confidentiality, integrity, and availability of the PHI, the email is a permissible disclosure of PHI, and – if the recipient of the email is a plan member or patient – consent has been obtained to send PHI by email. If PHI is not disclosed in the email, HIPAA does not apply.
The post Is it a HIPAA Violation to Email Patient Names? appeared first on HIPAA Journal.