Q: Do physicians who use personal e-mail accounts to communicate with patients violate HIPAA by doing so?
HIPAA Weekly Advisor, March 31, 2008
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
A: This is a potential violation of the HIPAA security rule. A violation has not occurred if an e-mail does not include any PHI. However, e-mails that contain PHI should be encrypted.
Encryption is an addressable implementation specification under the security rule. "Addressable" means the provider must implement the specification as stated in the rule, implement protections equivalent to the rule, or must clearly document why the implementation specification does not apply.
Cost may not be the primary reason for failure to implement the specification. It is important to remember that the security rule was finalized back in 2003 and then became effective in 2005.
Encryption technology has become much more mature and interoperable since 2003. And it is no longer cost-prohibitive-even for the smallest providers.
Physicians who elect to send PHI via unencrypted e-mail in 2008 are hard-pressed to justify this decision.
Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Comments
0 comments on “Q: Do physicians who use personal e-mail accounts to communicate with patients violate HIPAA by doing so? ”
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched