Consumers increasingly want to communicate electronically with their providers through email or texting. The Security Rule requires that when you send ePHI to your patient, you send it through a secure method and that you have a reasonable belief that it will be delivered to the intended recipient. The Security Rule, however, does not apply to the patient. A patient may send health information to you using email or texting that is not secure. That health information becomes protected by the HIPAA Rules when you receive it.
HIPAA Security Rule deals with electronic Protected Health Information (ePHI) and is a response to the increasing use of personal mobile devices in the workplace. The professional use of personal mobile devices in the healthcare industry is significant. More than 80 percent of physicians own at least one mobile device (iPhone, Android phone, Blackberry, iPad, tablets and notebooks etc.). The risk of an unauthorized disclosure of ePHI from a personal mobile device is also significant; yet many healthcare organizations have actively pursued “Bring your own device policies (BYOD) policies because of the convenience of personal devices, the ease of use and the considerable costs savings in comparison to company devices. This can all too easily lead to unauthorized disclosures of ePHI, in particular in the following scenarios:
- The mobile device is misplaced by the user or is lost or stolen, allowing an unauthorized third party to access ePHI
- The mobile device is left unoccupied or viewable where an unauthorized third party may have access to it
- An unauthorized individual ͞hacks into the mobile device’s database or accesses ePHI through an insecure channel of communication
- Transferring or placing information on a mobile device (or even a flash drive) that is not encrypted
- The mobile device is traded in without first securely and permanently wiping the data
The HIPAA Security Rule permits healthcare providers to interact electronically with patients, such as through email, but the law requires covered entities to apply proper safeguards when doing so. Importantly for healthcare professionals and their employers, the Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
In this environment of more online access and great demand by consumers for near real-time communications, you should be careful to use a communications mechanism that allows you to implement the appropriate Security Rule safeguards, such as an email system that encrypts messages or requires patient login, as with a patient portal. If you use an EHR system that is certified under ONC’s 2014 Certification Rule, your EHR should have the capability of allowing your patients to communicate with your office through the office’s secure patient portal. If you use a certified EHR system, you should be able to communicate online with your patients. The EHR system should have the appropriate mechanisms in place to support compliance with the Security Rule. You might want to avoid other types of online or electronic communication (e.g., texting) unless you first confirm that the communication method meets, or is exempt from, the Security Rule.