Here is the best answer (in fact, the only answer) to my question about restrictions placed upon emailing of health information.Â My interpretation is that I may email protected health information as long as I am reasonably sure IÂ know who it is going to.
Jim Hoehne, CO, LO
Tampa Bay, FL
The requirement from HIPAA is one of reasonable precautions. In fact, they specifically address this concern here http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf, page 2. The section reads:
Q1: Does the HIPAA Privacy Rule permit a covered health care provider to email or otherwise electronically exchange protected health information (PHI) with another provider for treatment purposes?
A1: Yes. The Privacy Rule allows covered health care providers to share PHI electronically (or in any other form) for treatment purposes, as long as they apply
reasonable safeguards when doing so. Thus, for example, a physician may consult with another physician by e-mail about a patientâ€™s condition, or health
care providers may electronically exchange PHI to and through a health information organization (HIO) for patient care.
The problem with HIPAA is to define what is reasonable. What is reasonable for a small provider may be unreasonable for a large provider. Notice they don’t specifically call out encryption but if, in your opinion, it is reasonable to use it, then you should use it. That’s been the biggest problem with HIPAA from the onset. Everything is so generic that you can make it say almost anything you want.
I believe the best practice is to not include PHI in the e-mail. That obviates the need for the encryption since it doesn’t contain anything that falls under HIPAA. For instance, instead of “I have a patient, John Doe, who has xyz condition” you could simply say “I have a patient who has xyz condition”. Internally, you could use patient account numbers instead of names. This doesn’t work as well with physicians but you might work out a mutually agreeable method that doesn’t involve PHI exchange.
For the best answer, consult an attorney. That’s ultimately what you are fighting against anyway. Considering the enforcement method of HIPAA is primarily complaint driven, the only time DHHS would be knocking on your door is if a someone makes a complaint. In that case, your attorney is most likely going to be involved.