Emailing patient information requires attention to security, privacy issues
March 17, 2014
There's always a certain level of risk when sending information electronically, but the stakes are higher for health care providers that send patient information electronically.
Dentists who send documents and images containing patient information through unencrypted email may risk exposing the information in a data breach and making themselves vulnerable to violating the Health Insurance Portability and Accountability Act. HIPAA doesn't prohibit dentists from emailing protected health information to patients or other health care providers as long as they use reasonable safeguards while doing so, according to the Office for Civil Rights, an agency within the U.S. Department of Health and Human Services. Addressing a dental practice's email procedures in its risk assessment and policies and procedures can help a dental practice demonstrate compliance with HIPAA.
"The federal government isn't saying that dentists and other medical professionals can't send patient information over email. But they are encouraging health care providers to be cognizant of what they're sending, how they're sending it and who they're sending it to," said Dr. Mary Licking, chair of a working group of the Standards Committee on Dental Informatics. "The OCR's website, hhs.gov/ocr, has a lot of resources about HIPAA and emailing protected health information that is useful to every practicing dentist."
As of September 2013, HIPAA changed how covered dental practices have to respond to patient requests for copies of their electronic records, which may impact dental office procedures for encrypting emails. If a patient asks for their electronic records to be sent in an unencrypted email, a covered dental practice must advise the patient of the risk. If the patient insists on receiving it in an unencrypted email, the dental practice has to send it in that form.
"Ultimately, if you're going to send patient information electronically, it's easier to send it in encrypted emails, unless the patient insists on receiving it unencrypted," Dr. Licking said. "Using an encrypted email system is the easiest and most efficient way of responding to patients' requests and complying with the law."
The ADA works with independent standards and certification organizations to create and drive the adoption of standards for secure, interoperable exchange of oral health information. There is technology available for dentists who are interested in encrypting emails and, while the ADA doesn't endorse any particular product or vendor, dental practices should select a service that complies with HIPAA, the HIPAA breach notification rule requirements and other applicable laws.
"It's imperative that covered dental practices that choose to use a secure messaging service that meets the HIPAA definition of a business associate or of a health information exchange obtain from that service provider a business associate agreement that complies with HIPAA requirements before using the service," Dr. Licking said.
To be considered secure under the HIPAA Breach Notification Rule, the encryption system must use a methodology recognized as approved in a guidance document published by OCR, and the confidential decryption password, process or key must not have been breached.
Dentists who use email, secure messaging services or health information exchanges must train their office staff on proper use. Some concepts include:
- Giving recipients the courtesy of a heads-up phone call or text message before sending protected health information through an information exchange or secure messaging service and encouraging them to do the same.
- Prohibiting the inclusion of any protected health information in a heads-up text message.
- Providing the decryption password, code or key separately from the encrypted email, such as in a telephone call.
- Storing the decryption password, process or key on a device or at a location separate from the encrypted protected health information.
The ADA Complete HIPAA Compliance Kit (J598) provides information about complying with the HIPAA Privacy, Security and Breach Notification Rules. The kit includes the ADA Practical Guide to HIPAA Compliance: Privacy and Security Manual with three-year update service and the ADA Practical Guide to HIPAA Training CD-ROM. The kit is $300 for members and $450 for nonmembers.