Page 7 - 2021 Risk Reduction Series - Communication Part Two
P. 7
SVMIC Risk Reduction Series: Communication
safeguards be established. The SRA helps the organization
ensure it is compliant and reveals areas where the organization’s
PHI could be at risk. An SRA tool to assist an organization in the
preparation of a risk assessment is available at www.HealthIT.
gov.
The Department of Health and Human Services (HHS) oversees
compliance of the HIPAA Rules and the Office of Civil Rights
(OCR) investigates potential violations. Significantly, anyone,
including patients or staff, who believes there has been a
violation of the HIPAA laws can file a complaint with the OCR
and can do so without the assistance of an attorney.
Emailing ePHI
Email is not specifically prohibited by HIPAA, and the Privacy
Rule allows covered healthcare providers to communicate
electronically, (such as through email with their patients)
provided they apply reasonable safeguards when doing so.
HIPAA requires appropriate physical, administrative, and
technical safeguards for all ePHI. For example, a covered entity
must decide on whether encryption is appropriate based on
the level of risk involved. Any devices used to store, transmit,
or receive ePHI must be included in the previously mentioned
Security Risk Analysis (SRA). Therefore, it is necessary for the
provider or healthcare entity to conduct an SRA to determine
the threats and vulnerability concerning the confidentiality,
integrity, and availability of ePHI sent via email. A risk
management plan must then be developed and encryption
or an alternative measure implemented to reduce that risk to
an appropriate and acceptable level. The plan must also be
documented. The devices subject to a Security Risk Analysis
Page 7
