Addressing HIPAA has become a necessary evil in all medical facilities. The rules, in some ways, have become convoluted and confusing. Can I call a waiting patient’s name when summoning them to the exam room? What about sign in sheets? Can I communicate with my patients via email and fax? Can I send patient records to colleagues via email or fax? Who do I need a Business Associate agreement with?
Since I did raise the issues of calling a patient into their appointment by name and sign in sheets I will answer those questions first. Yes and Yes. You can call a patient by name that is waiting in the waiting room to see the doctor. And sign in sheets are fine as well. As for Business Associate agreements, pretty much any independent contractor or service provider will require one. There is more to this topic, which I will address in a subsequent article.
Now let’s discuss communicating PHI via electronic media. The HIPAA rules state that Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. Do your email communications provide the proper safeguards? If you are using Gmail, Yahoo or any other email client such as AOL.com or ATT.com then no you do not possess the proper safeguards to ensure the PHI being communicated is sent in a secure fashion. Further each time you communicate PHI through these means you are violating the HIPAA rules. HIPAA has fined medical entities upwards of $10,000.00 per violation for sending PHI through unsecured channels.
There are solutions to ensure that you meet the HIPAA regulations that will allow for communication via electronic means. There are a number of companies that offer simple software solutions to ensure your emails that contain PHI are properly encrypted and are sent and received in a secure manner. The mechanism to ensure your emails are properly encrypted works in different ways. There are companies that offer software that works within your current email client, such as outlook or apple mail. When sending an email from the users computer they would indicate that this needs to be sent encrypted and the software does the rest.
The second type of encryption software acts as an intermediary whereby the user would sign on to the software site, create the message and upload any files that would be required to be sent with it. The recipient would then get a message with a link and password to read the message. The biggest benefit of using this type of service is that all responses would also be performed in the same manner, which would ensure the entire communication exchange was performed on an encrypted site. The recipient would not require an account but they would only be able to communicate with you.
The Companies that I have researched all provide Business Associate agreements, which provides assurance that they meet HIPAA compliance. Below is a list of a few websites that provide the services.
Eric Conn, CEO and President, Universal Healthcare Consulting, Inc.