Dr. Z Security and HIPAA Compliance

HIPAA Background 

The Health Insurance Portability and Accountability Act (HIPAA) is a crucial legislation, but the importance of HIPAA to the healthcare industry and its patients cannot be understated.  Introduced in 1996 the main goal of HIPAA was to provide coverage for people who were out of work. Without HIPAA people ran the risk of losing coverage when between jobs. The secondary purpose of HIPAA was to protect people from fraud and allowing unauthorized individuals access to their medical records. No organization or industry wants the data of its customers to be accessible by potential adversaries, but HIPAA provides the rules, regulations and penalties associated with the regulation. The fines for noncompliance range from $100 - $1.5 million and even up to five years in jail.

Dr. Z Note:  Every email that you send which contains any data related to a patient must be encrypted.

The Need for Email Encryption

According HHS, “the Security Rule does not expressly prohibit the use of email for sending ePHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to ePHI”.  

In other words, HHS States that ePHI can be emailed but it in a secure manner. Basically, you can send ePHI via email, but you have to do it securely, according to HHS. This is just one of the services which can be set up by Dr. Z Security to run seamlessly with your existing technology. 

Generally speaking, free online email providers such as Gmail, Yahoo, Hotmail, AOL, etc) are not HIPAA Compliant. One such case listed on HHS.Gov reports, “Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ, has agreed to pay the U.S. Department of Health and Human Services a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules. OCR’s investigation found that the physician practice was posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible”. 

Phoenix Cardiac Surgery is another example of not only violating the HIPAA compliance for email but actually had made changes with other HIPAA legislation's about protecting patient ePHI.

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/phoenix-cardiac-surgery/index.html

Dr. Z Note:  Unencrypted email refers to the service.  For example, with Gmail it's not only for email but all Gmail features such as calendar, drive, tasks, etc.

Patient Email and the Omnibus Rule  

The rules of encryption are imposed on medical professionals and patients are not forced to use encryption-based email.

“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.” (US Department of Health and Human Services, Omnibus Final Rule, 2013).

https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa-rulemaking/index.html?language=es

 Dr. Z Note:  Unencrypted emails can be sent to clients but only if they know the risks and still prefer this type of communication.  Please see the file "HIPAA Disclaimer Text" in the downloads area below.