Are you using unencrypted e-mail to communicate with patients? Since the HITECH Act went into effect in the fall of 2013, the rules about e-mail have changed. Healthcare providers must use reasonable precautions to use e-mail to communicate with patients.
“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c).
Certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as:
- checking the e-mail address for accuracy before sending, or
- sending an e-mail alert to the patient for address confirmation prior to sending the message; or
- limiting the amount or type of information disclosed in unencrypted email.
Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”
Your office should have an e-mail policy for patients. Consider whether it would be helpful for your office to send patients appointment reminders and health forms via e-mail? You should also offer patient’s the option of opting out of e-mail communication. You should always notify the patient of the risks of sharing protected health information over the internet.
Many patients will appreciate your willingness to use e-mail. E-mail allows your office to quickly get the information to the patient without delay or having to pay for postage. If you plan on using e-mail, your front desk should always check with the patient to determine what their current e-mail address is and whether it has changed.
The patient has the right to request that only certain information be communicated via e-mail. You must have a procedure that informs the healthcare provider what information the patient does not want to be communicated via e-mail.
Your office also might consider an encrypted e-mail system such as secure messaging. Many hospital systems and large providers are using encrypted e-mail. By encrypting the e-mail, you will be certain that the information gets to the correct person and it is not tampered with over the internet.
Do you need assistance with drafting your HIPAA policies? We can help. CLICK HERE
Get “News You Can Use” delivered directly to your email inbox. Click here to Subscribe