Should offices be using an encrypted email system to send patient information? Here are three reasons why, if dental practices want to avoid costly HIPAA violations.
As many of you know by now, suffering a breach of your data can be devastating to a practice, as it would require notifying all patients about the breach as well as the local media, not to mention the fine and penalties that would need to be paid.
The most common form of a breach is a lost or stolen mobile device such as a laptop or external hard drive. One of the next most common forms of breach is through email.
Should offices be using an encrypted email system to send patient information? In my mind, yes, with a few caveats.
HIPAA considers encryption to be an "addressable" rule. Meaning, if it's reasonable and appropriate you must do it. If not, then come up with an alternative or a document explaining why you believe no alternative exists. Considering the high risk of data compromise with unencrypted email, almost everyone would consider encryption to be reasonable and appropriate. Most encrypted email systems run around five to ten dollars per month for each email account.
The Safe Harbor Method
One option (not one I recommend) is the Safe Harbor Method. What this basically says is that you can send ePHI (electronic Protected Health Information) as long as you remove all identifying information. So, let's say you want to send another office a digital X-ray of a patient. To meet the Safe Harbor Method, you would send the X-ray with literally no other information: no name, initials, chart ID, facial photo, nothing.
While this is an easy solution for the person sending the email, it's not so great for the recipient. Imagine you are a specialty practice and you get five to 10 emails per day that include X-rays but no other info. You'll have to call the sender, figure out who the patient is, get the image into the software, etc. It will be a real pain.
Continue to page three for more...
The recipient difference
It's important to differentiate between sending patient information to the patient versus sending the information to another dentist. Patients have the legal right to opt-out of receiving encrypted emails. You would need to have them sign a written agreement that they agree to this and keep that agreement on file. The concern is that just like other documents that patients sign like Informed Consent, there's always a risk that the patient could claim that they didn't understand what they were signing.
What if a patient sends you an unencrypted email that requires a response? Is it ok to reply in an unencrypted manner since the patient has basically established that they are willing to communicate in an unencrypted manner? It's a gray area that HIPAA doesn't really address.
A stickier situation is if the patient wants you to send their digital records to another dentist such as a specialist. While I have always believed that patients do not have this legal right, recent cases seem to support that they can do this, again, with a written and signed authorization. However, this puts the recipient at risk as any ePHI you have on your computer is ultimately your responsibility; it makes no difference how it got there.
My best recommendation for all offices is to consider an encrypted email system. There are some that integrate with Outlook, others that are a desktop application. The best systems are ones that do not include any patient information in the visible email, it would just be a link that requires the recipient to create their own user name and password to access the email, thus preventing viewing my unintended eyes. These systems are safe, secure and won't break the bank.