Email use in medical groups: Balancing patient access to information with security requirements

Email has become one of the primary methods used to communicate information between individuals and organizations. Although widely used today in the healthcare environment, the improper use of email could lead to an inappropriate disclosure of patient information and a possible violation of HIPAA. While the Department of Health and Human Services’ Office for Civil Rights (OCR), the government agency that oversees and enforces HIPAA Privacy and Security Rules, does permit the use of unsecure (unencrypted) email to communicate protected health information (PHI) to patients or provider colleagues, it does provide guidance for transmitting emails in a safe and secure manner.

Patient right to email

Patients generally have a right to receive copies of their PHI by email if they request that method. The government has indicated it expects all practices to have the capability to send PHI by email and that transmitting PHI in such a manner does not present unacceptable security risks to practice systems, even though it acknowledges that there may be security risks to the PHI once it has left the practice’s email system.

Should patients initiate communications with a practice using unsecure email, the practice can assume that email communications are acceptable to the individual unless the patient has explicitly stated otherwise. As OCR explains in an FAQ, if there is concern that the patient may not be aware of the possible risks of using unencrypted email, or if the practice has concerns about potential liability, the practice should alert the patient of those risks and let the patient decide whether to continue email communications.

In the limited situations in which a practice is unable to email the PHI as requested, such as when diagnostic images are requested and email cannot accommodate the image file size, the practice should offer the patient alternative means for receiving the PHI, such as portable media, which can then be mailed to the patient. Further, patients have a right to receive a copy of their PHI by unencrypted email if the patient requests access in this manner. In such cases, the practice must warn the patient that there is some level of risk that the patient’s PHI could be read or otherwise accessed by a third party while in transit and confirm that the patient still wants to receive his or her PHI by unencrypted email. If the patient says yes, the practice must comply with the request.

Is use of secure email required?

OCR has made it clear that patients generally not only have a right to receive emailed copies of their PHI if they request that method, but they also have a right to receive a copy of their PHI via unencrypted email if they ask for it in this format. While practices are responsible for adopting “reasonable safeguards” when meeting the patient’s request to have their PHI emailed to them unencrypted, they are not responsible for a disclosure of PHI while in transmission to the patient (assuming the patient was warned of and accepted the risks associated with the unsecure transmission). Reasonable safeguards include verifying the identity of the patient making the access request and correctly entering the email address. OCR also suggests sending a test email to the patient to ensure the address is correct. It is important to note that practices are not responsible for safeguarding the information once delivered to the patient.

The government also requires that practices accommodate a patient’s request to receive appointment reminders via email, rather than on a postcard or by telephone message, if email is a reasonable alternative for the practice to communicate with the patient. OCR counsels, however, that if the use of unencrypted email is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods (CD-ROM or thumb drive), or by traditional mail or telephone, should be offered and accommodated.

10 tips for using email in physician practices

1. Use secure (encrypted) email whenever possible.
2. Assume that email is an acceptable method of communication when patients email you first (unless the patient tells you otherwise).
3. Comply with patients’ requests to send PHI via email, but warn them of the risks of unsecure email.
4. Consider having patients sign a consent form giving you permission to email PHI to them or to a third party using unsecure email.
5. Confirm the email address before emailing PHI and limit the PHI in the email to what is minimally necessary.
6. Remind patients that once they have received the PHI via email, it is their responsibility to maintain security.
7. Set reasonable expectations for your patients regarding reply times if your practice permits patients to email clinical staff.
8. While permitted to charge a “reasonable, cost-based” fee for the labor and materials used to scan a patient’s PHI into an email, practices are urged to make this a free service.
9. To prevent viruses, instruct staff NOT to open emails, especially email attachments, from unknown senders.
10. Include email use and security in your HIPAA Risk Analysis.

 
Patients also have the right to have the practice email their PHI to a designated person such as a family member or a third party (for example, another physician). While the practice must email the PHI directly to another person or third party when requested by the patient, the practice can require that the request be made in writing, signed by the patient and clearly identify the designated person or entity and where to email the PHI. Practices are required to take action within 30 days of the request. The government also affirms that practices may rely on the information provided in writing by the patient regarding the identity and email address of the designated person and where to send the PHI for purposes of verification of the designated third party as an authorized recipient.

While OCR stipulates that HIPAA does not prohibit the use of unencrypted email for communications between providers and patients, the agency reiterates that other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted email. In using unsecure email, the practice must provide a warning to the patient that there is some level of risk that the patient’s information could be read or otherwise accessed by a third party while in transit and confirm that the patient still wants to receive the record by unencrypted email. MGMA recommends that physician practices have the patient sign an acknowledgment of this risk and document that the patient has been informed of the potential risk of disclosure.

The use of encryption for emailing patient information, while not mandated under HIPAA, is an “addressable” requirement under that regulation and must be deployed unless other “appropriate protections” are used. As an indication that deployment of secure email is on the rise, a Jan. 23 MGMA Stat poll asked the question, “Do you use secure (encrypted) email when sending patient data?” Nearly 90% of the 1,319 respondents stated yes, with a further 4% stating that they were considering it. Only 6% indicated that they do not use secure email and 2% stated that they were unsure.

Increasingly, practices are using secure email to communicate with other clinicians to strengthen security and reduce the chance of a breach, yet fewer have adopted this technology to communicate directly with patients. The same MGMA Stat poll found that for those respondents using secure email, 36% reported using the technology to have their providers communicate with external providers. Another 16% stated that secure email was used for providers to communicate internally, with just 11% indicating secure email was used for provider to patient communications.

Charging patients to receive their PHI by email

The government does permit practices to charge a “reasonable, cost-based” fee for the labor and materials used to copy/scan medical records and attach them to an email. There are three ways a practice can calculate this reasonable, cost-based fee for the PHI maintained electronically: actual costs, average costs or a flat fee. If a flat fee is selected note that these fees cannot exceed $6.50, inclusive of all labor and supplies. While the Privacy Rule does permit practices to charge patients a fee for receiving a copy of their medical record, practices should consider implementing a policy of providing a no-cost option for patient requests to have their PHI emailed to themselves or to a designated third party.

Other than those unsecure communications specifically requested by the patient, the use of unencrypted email communications, including the use of email to transmit patient information to staff within the practice, requires that the organization assess its use of open networks, identify the available and appropriate means to protect patient information sent electronically, select a solution and document the decision. Practices are strongly encouraged to discuss secure and unsecure email options with their technology vendor and include all related issues in their HIPAA Security Risk Analysis and risk mitigation.

For additional information, access the MGMA HIPAA Resource Center and the OCR website.