HIPAA (the Health Insurance Portability and Accountability Act) enforces strict standards on the handling of patient medical records and communications. Not disclosing personal health information (PHI) to those without access to it is one of the most well known regulations associated with HIPAA, but running a HIPAA compliant practice involves more than just this. In today’s technology driven era, online communications are a part of nearly every business — not excluding those in the medical industry. It’s essential that medical professionals do their due diligence to maintain HIPAA compliance where technology is concerned. Make sure you keep your medical office compliant by following these HIPAA compliant email best practices:
Is Email HIPAA compliant?
The HIPAA Privacy Policy Rules does permit health care providers to discuss health information and treatment with their patients via email. However, the must apply reasonable safeguards when doing so. These safeguards (aka best practices) include:
1. Warn patients of the risks associated with sending PHI via email. While it may be unlikely, there’s always a possibility that any correspondence conveyed via unencrypted email can wind up in the wrong hands. Reminding your patients of the risks associated with communicating this way will act as a reasonable safeguard in keeping your practice HIPAA compliant. It may also be wise to post a statement on your website that explains that transmitting PHI through email is not secure and that they should not include personal information (such as date of birth or social security number) in the emails they send.
2. Be accommodating. The HIPAA Privacy Policy Rule states that patients have the right to request and be contacted by alternate means, so long as those means are reasonable. This means that if you notify your patients of appointments via postcard, they have the right to request notifications be sent via email. If they request to be contacted via email and are aware of the risks of sending confidential information in this way, your practice must be accommodating to their needs.
3. If a patient contacts you via email requesting information, the HIPAA Privacy Policy rule says that it’s safe to assume they’re willing to communicate with you through this channel. Your staff should be informed that it’s perfectly fine to respond to emails that come in from patients, based on these parameters. If you have any doubt that the patient will want their information shared via email, make sure they know the risks associated with sending PHI via email before doing so (refer to step 1).
4. Get it in writing. To keep all of your bases covered, have your patients fill out a form indicating how they’d like to be contacted, reminded of appointments, and how they’d like to receive their health information. Have your patients then sign these forms. This form also represents another good opportunity to warn patients that not all email communication is secure and that risks, while rare, do exist. Keep records of this approval so that you can prove your actions were appropriate, should issues arise down the road.
5. Get a HIPAA compliant email application. If your patients do not agree to have their PHI sent via unsecure email, and you still want to utilize email for your practice there are a few options to consider. You can begin by encrypting any files you attach to emails sent to your patients. Better yet, you can invest in a HIPAA compliant email application that will encrypt and protect the data you send, such as MD Office Mail.
6. Archive the communication. A big part of following HIPAA guidelines is keeping patient records backed up. Patient information must be retained for a minimum of 7 years and this timeline can also vary state by state. If you’re transmitting protected information to your patients or staff via email, you should keep a record of it. Doing so can protect your practice against HIPAA infractions should issues arise. You can archive this information on a local hard drive, but it’s important to also archive in the cloud. Physical storage can only protect you to a point. With it come the risks of physical damage, theft and human error. A cloud backup solution provides a thorough, protected and HIPAA compliant way to backup all of your patient medical information safely and securely.
Email communication is a part of modern society today, so it’s important to make sure your practice is keeping up with the times in a way that follows HIPAA guidelines. Follow these email best practices and your medical office will be prepared for any email communication scenario.
Archive your emails today and you’ll be one step closer to HIPAA compliance. Find a cloud backup solution that’s the perfect fit for your medical practice now.
