Can email be used by healthcare professionals to communicate with patients without compromising privacy standards? The answer is yes – but with special considerations. This pertains to medical care providers (doctors, therapists, office staff, etc.), pharmaceutical & medical supply companies, research organizations, insurance companies, and other life sciences businesses.
How HIPAA Affects Email Use
Since the advent of HIPAA (Health Insurance Portability and Accountability Act) in 1996 and policies regarding Electronic Protected Health Information (ePHI), medical professionals are bound to strict guidelines regarding the privacy of an individual’s health status, treatments history, and payments for health care. Not surprisingly, sending patients individual emails with personal information can be deemed NOT secure or HIPAA-compliant, due to vulnerabilities in internet security. However, if healthcare providers implement protocols that satisfy HIPAA privacy, security, enforcement and breach notification rules, then email can be used.
This article covers our understanding of:
- HIPAA compliance when it comes to sending individual emails to or about patients
- The role of HIPAA compliance in email marketing to the public
The overview below is based on our experience working with healthcare providers and building HIPAA-compliant business tools. This is not legal advice (we are not lawyers!), as each org may have its own legal interpretation of HIPAA compliance and how it pertains to their business. In addition, the standards are continually changing, and the liability for breaching ePHI HIPAA compliance is unclear and evolving as of early 2016.
HIPAA-Compliant Individual Email – Maintaining Patient Confidentiality
An email sent from any healthcare provider or staff member about a specific patient, containing Protected Health Information (PHI), must follow strict HIPAA compliance guidelines. This comes from implementing the right technology and training people on security procedures1. Healthcare providers may require all outgoing emails to include a boilerplate statement about privacy policies and warnings of the potential security risks when transmitting ePHI over the internet2. This multi-point approach to security will include:
- Strong email encryption, to make a message unreadable if it gets intercepted
- Authentication processes to verify and control who has access to ePHI info
- Consent and documentation, with an opt-in form or process
HIPAA-Compliant Email Marketing
The HIPAA standard is much more relaxed when using email for marketing purposes. The primary requirement is that the patient or recipient gives their permission to be on the email list, via an opt-in process. The entity typically gives the recipient the option to be on their email list for marketing purposes, and may provide a legal description of the terms of being on the list.
It’s important to have HIPAA Business Associate Agreement with any email or marketing service you use for composing and sending messages. Many commonly-used email marketing systems do not ensure HIPAA compliance, but some do.
Security, Warnings, Permission and Documentation
These rules exist to prevent unauthorized disclosure of an individually identifiable health information, while providing recipients with helpful information. Our team at Harris Web Works can provide consultation and technical services to help you put an effective system in place that encompasses security, warning, permission and documentation protocols:
- HIPAA-compliant data retrieval and third-party integration
- Managed hosting – dedicated HIPAA-compliant server behind HIPAA-compliant firewall
- HIPAA-compliant email set up
- Electronic Health Record (EHR) system and secure patient portal set up
Be Safe, Not Sorry: HIPAA-Compliant Email Marketing for Private Practice
How Do I Become HIPPA Compliant?
The Health Information Technology for Economic and Clinical Health (HITECH)Act
1From How to Achieve Email Compliance with the HIPAA & HITECH Acts
Implementation specifications to address HIPAA standards involve:
- Unique user identification
- A mechanism to authenticate ePHI and to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
- Security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of
Specific HIPAA standards pertaining to needed for compliance when sending ePHI emails are as follows:
- Access Controls. A covered entity must implement technical policies and procedures limiting access to systems containing electronic protected health information (ePHI) only to personnel with sufficient access rights (§ 164.312 (a))
- Audit Controls. A covered entity must implement software that record and examine activity in information systems that contain or use ePHI. (§ 164.312 (b))
- A covered entity must implement policies and procedures to protect ePHI from improper alteration or destruction. (§ 164.312 (c))
- Person or entity authentication. A covered entity must implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. (§ 164.312 (d))
- Transmission security. A covered entity must implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.
2Sample boilerplate disclaimer text for emails:
This message originates from Name of Entity. The information contained within may be privileged and confidential. If you are the intended recipient you must maintain this message in a secure and confidential manner. If you are not the intended recipient, please notify the sender immediately and destroy this message. Thank you.
Learn more about how pharmaceutical and life sciences websites can achieve HIPAA-compliance.