We recently received a question from a pregnancy care center employee regarding HIPAA compliant email. Her concern was for both the privacy of her clients and the legal protection of her organization. While iRapture.com can provide some basic answers, you should also consult a legal professional to look at your unique situation.
Defining Some Important Terms
This will be a review for many working in pregnancy care centers. Let’s define some terms to get on the same page.
HIPAA- Health Insurance Portability and Accountability Act of 1996
Privacy Rule- Outlines details regarding PHI (Protected Health Information)
Security Rule- As a subcategory of the Privacy Rule, this outlines details regarding ePHI (electronic Protected Health Information)
Rapid growth in communication technology in recent decades has meant higher levels of efficiency in the health care industry. To keep pace with that progress in the area of communication, the United States government passed HIPAA in 1996. The law required the Secretary of Health and Human Services (HHS) to create certain medical information privacy standards.
Who Needs HIPAA Compliant Email?
The need to implement HIPAA compliant email hinges on whether your organization qualifies as a “covered entity.” According to HHS, “the Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.” The Centers for Medicare and Medicaid Service have provided a helpful covered entity guidance tool, which you can use to determine whether you qualify as a covered entity. Another invaluable resource is The National Institute of Family and Life Advocates (NIFLA).
“Although not technically under the jurisdiction of HIPAA unless billing or communicating with a health plan electronically, all pregnancy centers providing medical services should take reasonable steps to comply with HIPAA and to limit the use of, disclosure of, and requests for Protected Health Information (PHI) to the minimum necessary to accomplish the intended purpose.” - Anne O’Connor, NIFLA Vice President
What are the Best Practices for Pregnancy Care Centers?
While HIPAA may not require you to fulfill the same standards as a covered entity, consider the benefits. NIFLA recommends taking six reasonable steps toward compliance.
Get Consent- Obtain written permission from clients prior to communicating via e-mail.
Give Disclaimer- If the client begins communication via e-mail, your first response back should include a disclaimer, such as “Thank you for your e-mail. While all information you share with us is confidential, there are inherit risks when submitting information using technology that a third party could read it. Do you wish to continue this conversation?” You can then go on to answer the basics of the inquiry. You’ve alerted the client to the potential security risks of transmitting PHI via e-mail.
Go Encrypted- Before sending PHI to medical providers, ensure that both the provider and your organization are utilizing secure and encrypted e-mail.
De-identify- Medical information, such as ultrasound images, can have personal identifiers removed prior to sending to medical providers. This is an alternative if there are no other secure options, but not highly recommended. NIFLA recommends using secure HIPAA-compliant electronic medical record systems.
Verify Details- As with any professional communication, always be sure to double-check the e-mail address prior to sending PHI. Additionally, only include the minimum contacts necessary on the recipient list.
- Use Warning Language- NIFLA has provided a template to include at the bottom of all e-mails: “This message is intended only for the addressee and may contain information that is confidential or privileged. Unauthorized use is strictly prohibited and may be unlawful. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. If this email is incomplete or illegible, or has been received in error, please call the pregnancy center’s Privacy Officer at ( ###) ###-####.”
Get More Help if Needed
Taking the steps listed above can go a long way in protecting your clients’ privacy and your pregnancy center’s reputation. As we’ve recently discussed, your work is too important to jeopardize the trust between you and potential clients!
For more information on HIPAA compliant email, visit https://nifla.org/. If you have further questions regarding HIPAA compliant e-mail, you can also call toll-free (877) 488-7999 or e-mail firstname.lastname@example.org.