PHI AND EMAIL
Can we communicate with payers via unsecure email as long as we don’t include PHI elements such as the patient’s name, claim numbers, reference numbers, ID numbers, or account numbers?
This question and related questions are asked repeatedly and there is no simple answer. However, a basic understanding of several principles can help you determine if you are following HIPAA and HITECH regulations. First of all, there is no mandate within HIPAA that you must secure your emails. You can choose to send PHI in your emails without technically violating the law. However, in practice, it is a bad idea to send unsecured electronic correspondences that contain PHI.
If you have a breach of PHI, any lawyer or government investigator will inquire about your company’s policies and practices relating to emails with PHI. Regularly sending unsecured emails with PHI may be construed as an unwise or unsafe practice that could be construed as negligence on the part of the biller and their employer.
If your employer has a policy that requires you to secure emails with PHI, government entities will expect you to abide by that policy. Failing to do so would place you and your employer in a vulnerable position with investigators and attorneys.
Setting aside the possible legal and financial penalties, don’t forget that the idea behind all of this is to protect the privacy of the patient’s medical information. If you were sending an email about yourself and it included private information such as your social security and bank account numbers, would you send it unsecured? What if the email enclosed information about medical treatments you received that you would like to keep private?
Even if you do not mind sending medical information about yourself unsecured, email are you confident the patient would feel the same way? And even if the patient felt fine about it today, would the patient feel that way if his or her information was stolen? It seems likely that the patient’s attorney would definitely come after you and your employer if the stolen information was obtained from an unsecured email.
Since sending emails securely is a wise and safe practice, why do so many smaller companies resist it? Cost and convenience are the two reasons given most frequently. for not securing email.
Regarding cost, there are many low-cost options for securing email today that there is no excuse for not having a secured email program. If you have investigated secure email services in the past and thought it was expensive you probably didn’t investigate enough companies. There are big differences in costs between companies that provide similar services so if money is your biggest obstacle, search until you find one that fits your budget.
However, if your employer thinks that spending any amount of money on secure emails is silly, ask them to consider how much it would cost if PHI was stolen from an unsecure email and the patient or patients decided to sue?
And don’t forget that the government would also be involved and possibly impose fines, sanctions, or who knows what.
Sometimes people tell me that they don’t put PHI in the email, but place it in an attachment to the email which they protect with a password. They say this is the same as encrypting an email without having to buy a secure email program.
While password-protecting an attachment is better than nothing, I am not aware of any PDF, document, or spreadsheet programs whose level of password protection is as high as most quality secure email programs. Plus, password-protecting a document is not the same as encryption.
Going back to the original question, the person asks if they remove “PHI elements” can they then send the email unsecurely when they communicate with a payer.