Thursday, March 17, 2016

Using Gmail and the link to correspond with patients -- HIPAA 2013 clarification

HIPAA is designed to protect patient confidentiality. It’s widely misunderstood, not least because of the scary fines for violations. I think on balance it’s a good law, but it needs regular adjustment.

Happily in 2013 a major adjustment was made. Rule makers allowed use of conventional email applications, perhaps without robust encryption, for patient communications if informed consent is given and recorded. I recently put together a set of references on this:

https://personcenteredtech.com/2013/10/06/clients-have-the-right-to-receive-unencrypted-emails-under-hipaa/
Covers the 2013 final rule changes.

http://blog.securitymetrics.com/2014/05/hipaa-email-encryption.html
Pretty good discussion of implications

http://www.austinmedclinic.com/hipaa-and-email.pdf
Example of a patient consent to receive unencrypted email

http://www.gpo.gov/fdsys/pkg/FR‐2013‐01‐25/pdf/2013‐01073.pdf
HIPAA language is on page 5634 (I didn’t confirm this, just copied from the Austin Med Clinic consent form.

I’d still worry about risks associated with using Gmail (though communication is now actually well encrypted for most users) — the message will be both sender and receiver’s server forever unless it’s deleted. Tricky business!

Still, it’s encouraging to see this clarification. I hope the HIPAA rules continue to be adjusted. Having robust encryption built into laptops helps — at least until the FBI forces backdoors which will, of course, be widely exploited by hackers.

1 comment:

Lux Scientiae said...

I would be careful! The salient points are:

1. You can send insecure email if you (a) explain the risks, (b) get written consent for it, and (c) have a secure alternative available.

2. Your secure email alternative has to be HIPAA-compliant and you need a special contract with them. It can't be any old secure email provider.

3. Even if you send insecure email to patients, it MUST be through an email provider that provides HIPAA-compliance and has a contract with you. Consent does NOT allow sending email through regular providers like plain Gmail.

For a deep discussion on consent and neglect, see this article on texting and hipaa -- which applies also to email:

https://luxsci.com/blog/to-text-or-not-to-text-sending-text-messages-under-hipaa.html

And for a deep dive into HIPAA and email ... and in particular how it applies to using Gmail, see this eBook:

https://luxsci.com/hipaa-ebook