Ask the expert: Agreement for communicating PHI via unencrypted e-mail messages
HIM Connection, June 10, 2008
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
Q: Many physicians and patients are interested in communicating information that includes PHI via e-mail even though they understand that unencrypted e-mail messages are not secure. May a physician and patient sign a clearly worded agreement that acknowledges the security and privacy risks of exchanging e-mail that includes PHI as long as both parties know the risks involved and are willing to accept them?
A: A physician and patient may enter into such an agreement. However, it would not mean physician liability for inappropriate disclosure is necessarily limited if the e-mail is intercepted and patient information is inappropriately disclosed. It also doesn’t mean that it is not a violation of the HIPAA security rule.
Even though the use of encryption is addressable under the HIPAA security rule, technology has changed subsequent to the publication of the security rule in April 2003. Addressable does not mean optional. It means the physician is required to follow the rule requirements, implement protections equal to those included in the rule, or justify why he or she will not implement the provision—and the reason cannot be solely based on cost. The cost of implementing secure e-mail is no longer an issue for any size organization. For example, there are reliable vendors who will supply secure e-mail services for as little as $100 per year per user. Given the decrease in cost and the increase in availability of workable secure messaging solutions, any covered entity would be hard-pressed to justify its choice to not encrypt e-mail containing PHI. Signing an agreement does not eliminate the requirement for the physician to comply with the security rule.
Editor’s note: This Q&A was excerpted from the June issue of Briefings on HIPAA. For more information, visit www.hcpro.com/content/212068.cfm.
Correction: Note that last week's "Ask the expert" scenario was edited after the author submitted it, and the place of occurrence of a "beach" was inadvertently omitted. Because the sunburn occurred at the beach, code E849.8 is justfied.
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
Comments
0 comments on “Ask the expert: Agreement for communicating PHI via unencrypted e-mail messages ”
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- Topic: CMS, OESS post new security compliance review information, checklist
- HIPAA Q&A: Level of encryption needed for email
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched