HIPAA email communications
Washington—Dentist email communications with patients may be affected by new HIPAA rules.
The Health Insurance Portability and Accountability Act omnibus final rule that took effect March 26 for compliance by Sept. 23, 2013, includes new requirements that may apply when a patient requests an electronic copy of the patient’s information from a covered dental practice that maintains the record electronically.
Under the new rule, if the patient requests that the information be provided in an unencrypted email, the dental practice may be required to provide the information that way if the practice has advised the patient of the risk that the email might be accessed by an unauthorized third party and the patient still prefers to receive the information in an unencrypted email.
HIPAA requires that covered dental practices implement reasonable safeguards, including reasonable procedures, to ensure that the practice correctly enters the email address. The practice is not responsible for the email while in transit nor once it is delivered to the patient.
A dental practice would be prudent to consult qualified legal counsel to determine whether it is covered by HIPAA and how to respond to patient requests in compliance with applicable state and federal law.
The updated ADA Practical Guide to HIPAA Compliance Privacy and Security Kit provides more information on the new rule and a more detailed explanation of the procedures for responding to patient requests for copies of electronic records, including email responses. To purchase the ADA Complete HIPAA Compliance Kit (J598) visit ADAcatalog.org or call the ADA member service center at 1-800-947-4746.
The U.S. Office for Civil Rights, which enforces the HIPAA privacy rule, offers responses to frequently asked questions (FAQs) about email communication of protected health information (PHI).
Does the HIPAA privacy rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?
Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?
Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?
Does the HIPAA Privacy Rule permit a covered health care provider to e-mail or otherwise electronically exchange protected health information (PHI) with another provider for treatment purposes?
In addition to the new HIPAA requirements, recent media reports suggest at least one vendor reassigns email addresses the vendor deems to be “inactive,” which might pose a risk for a dental practice that emails patient information to an address that has been reassigned to an unauthorized third party.