14

I want to point out, from the start, that I know all about the Direct Project and I am huge fan of work to provide easy-to-use standards based secure email for doctor-patient communication. I am not asking a "should" question here. I know patient-doctor communications should be encrypted. I know that the meaningful use requirements now in draft reward for Direct Project based communications.

What want to know is, definitively, can healthcare providers have patients sign waivers that allow the doctors to legally email in plain text with them? People seem to read the different HIPAA-HITECH act regulations very differently. Vendors of secure products always say that secure email is legally required. Yet I know several healthcare providers who communicate PHI using plain-text email with their patients, by having their patients sign something that says that the patient understands the issues with plain text email and still considers it "protected" under HIPAA.

So there at least some people who argue that it is illegal (vendors) and some who argue that it is legal and actively send plain text emails.

I am not asking this because I do not have an opinion on this myself. I am asking for someone to make an assertion regarding this issue, and back it up with quotes and corresponding links to the various sections of the laws and federal rules in question. Obviously all of the relevant national level rules and laws should be referenced in an accepted answer.

Because this can be a bit of work, I am putting a bounty on this one.

  • 1
    http://healthcareit.stackexchange.com/questions/849/can-a-patients-name-birth-date-and-study-date-be-sent-in-a-plain-text-email-t" is related. –  Apr 05 '12 at 13:05
  • A great question. Look forward to any answers. However, I have to state my prediction that you could put a 'real' bounty out to lawyers who could give you a winning case either direction. I doubt there is enough concrete print legislation to definitively state an answer. Honestly, though, GREAT question (as I believe vendors over-hype their over-engineered solution offerings) –  Apr 09 '12 at 22:20

2 Answers2

7

The Office of Civil Rights is responsible for enforcing HIPAA regulations.

They released a document that addresses your question directly. Here is the link to that document - Safeguards.pdf. Read the answer to Question 3.

Note, in particular, this paragraph:

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.

Additional HIPAA information is available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/.

Hope this helps.

2

There is one issue that you would have to cover to get a valid answer to this question, which facility... HIPAA was written so that each facility could interpret it's requirements to best fit their needs, so the way that one facility interprets the requirement could be entirely different than the way another does.

With that said, the way we handled it at my previous hospital is that the e-mail did not need to be encrypted as long as it didn't include privacy act information (SSN, Address, etc). Beyond that, supplying a valid e-mail was stated on the patient information form as permission to initiate e-mail communications until the patient put in a request in writing to desist e-mailing them.

For instance, this document from Health and Human Services says in its FAQ:

Q3: Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

A3: Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C. [...]

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.

D.W.
  • 98,420
  • 30
  • 267
  • 572
powelljf3
  • 66
  • 3
  • Thanks, @powelljf3! Are you aware of any evidence (cites to federal regulations, federal law, legal opinions, etc.) that the practices you describe at your previous hospital are allowable by law? – D.W. May 01 '12 at 15:41
  • Have a look at this report: http://www.healthit.hhs.gov/portal/server.pt/.../DisclosureReport.pdf It has a section 1.1.1 which covers patient privacy and consent. It also points out the different paragraphs in the act which are used to make these assertions. – powelljf3 May 01 '12 at 16:56
  • Sounds interesting. Unfortunately, the link doesn't work for me (perhaps because of the "..." in the middle?): maybe a failure of copy-paste? – D.W. May 01 '12 at 17:56
  • [This](http://www.healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_10741_910326_0_0_18/DisclosureReport.pdf) might work a little better. – powelljf3 May 01 '12 at 18:21
  • Thanks, that did work better. While interesting, Section 1.1.1 in that report is extremely high-level and doesn't seem to answer the original poster's question. (Additionally, the word "email" doesn't appear anywhere in the report that I could find.) – D.W. May 01 '12 at 18:38
  • Although that is true (it doesn't mention e-mail), it refers to electronic communication in general throughout the section, and in the referenced material in the HIPAA document. – powelljf3 May 01 '12 at 18:50
  • Could you provide a quotation and page number for the specific parts that answer ftrotter's original question? I searched to read all instances of "electronic" in the document, and didn't find anything relevant (I did find many mentions of "transmitting information electronically in compliance with HIPAA Privacy Rule" but no statement of whether encryption is required to be in compliance). – D.W. May 01 '12 at 19:02
  • Sorry for the delay, was called to a meeting. On http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf, in the FAQ: Q1: Does the HIPAA Privacy Rule permit a covered health care provider to email or otherwise electronically exchange protected health information (PHI) with another provider for treatment purposes? A1: Yes. And this is from an HHS document. There is of course a little more information in the document after the Yes. – powelljf3 May 01 '12 at 20:11
  • Perfect! Q3 covers exactly this question. Thanks for the great information. I took the liberty of editing your answer to incorporate this source document and some excerpts from it (I hope that is OK with you). +1 for a great answer. – D.W. May 01 '12 at 20:32
  • Not a problem... Glad we finally got the info out there. – powelljf3 May 01 '12 at 20:35