How to ensure that EHR communications are HIPAA compliant
While HIPAA does not prohibit communication in the form of email and text messaging, there are certain precautions that must be followed to ensure compliance and patient privacy. The Department of Health and Human Services states that “the Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
Under the Privacy Rule, the patient has a right to request that a provider communicate with him under alternative means. This can include email. If an unencrypted email is not sufficient, the provider should offer other alternative means such as mail or telephone, or electronically with encrypted messaging. Additionally, if a patient initiates communication with her provider using email, the health care provider can assume that email communication is acceptable to the patient, unless he has otherwise indicated. Providers must realize that it is difficult for a provider to ensure security of an email once it leaves the server. Once a patient receives a piece of information, he can share this information as he pleases.
It is important that the patient give consent for contact by email or text messaging. They should be informed of any privacy issues. Many practices utilize a written consent form for electronic messaging, including a disclaimer regarding security risks for electronic messaging. Once a patient signs this form, it can be kept in his medical record for ongoing consent. In EHR patient portals, where much electronic communication occurs, systems should force updating passwords at regular intervals in order to ensure security.
Reasonable safeguards to keep electronic messaging using your EHR patient portal HIPAA-compliant include:
Avoidance of unintentional disclosures
The provider must check and re-check an email address or phone number for accuracy. Additionally, they may send an email alert to patient prior to sending a message.
Limiting the amount or type of information disclosed
Identifying information should not be used in a subject line of an email. Limit this information in the body of the message as well. These include the patient name, initials, record number, birth date, social security number, address, phone number, insurance information, dates of service, and photographs of the face. Additionally, sensitive medical information should not be sent via email. This includes certain diagnoses such as HIV/AIDS, mental health disorders, substance abuse and abuse.
Including a privacy disclaimer
In emails there should be a patient privacy disclaimer at the bottom of all communications. This may appear as: The information contained in this communication may contain confidential and private information, which is protected by HIPAA. This message is only intended for the name listed above. If you are not the intended recipient, please inform the sender by email and destroy any copies of the original message. The review, duplication and/or distribution of this information is strictly prohibited.
Providers must be careful about what information is sent electronically. Remember that this communication, and any patient data included in it, is part of their medical record. Any type of personal or sensitive information should be left for in person, telephone or written communication in order to ensure privacy and confidentiality.
Cloud EHR: a complete buyers' guide
Thinking about a cloud EHR for your practice? Read our comprehensive guide first.
How to sell cloud EHR to practice management
Practice managers can be cautious when it comes to cloud EHR - here's how to ease their fears
Five things US healthcare providers can learn from the NHS ransomware attack
US healthcare providers should be aware of tips to keep their systems safe from ransomware attacks