Page 8 - 2021 Risk Reduction Series - Communication Part Two
P. 8
SVMIC Risk Reduction Series: Communication
include laptops, smart phones, tablets, USB drives, external hard
drives, and any other device used to store, transmit, or receive
ePHI.
The HIPAA Breach Notification Rule considers any unauthorized
access, use, or disclosure of unsecured PHI a breach, unless the
covered entity can prove the PHI has not been compromised.
This places the burden on the provider or healthcare entity.
Breaches require written notice to the patient, online reporting
to the government, and in some cases, notice to the local media.
However, according to HHS, encrypted ePHI is considered
secure and, therefore, not subject to the breach notification
requirements, thus creating a safe harbor.
As previously mentioned, the word encryption is used frequently
when discussing ePHI. Every covered entity should be
communicating ePHI internally using encryption technology.
This usually doesn’t present a problem because intra-
organizational communication is quite easy to keep secure since
the entity controls both ends of the communication.
However, if you want to use encrypted emails when
communicating with a patient, it can be much more
complicated. While a covered entity can encrypt its end of
the email transport, it is difficult to ensure the security of the
email once it leaves the organization’s server. For completely
encrypted email communication to be achieved, the patient
would need to use an email service that supports HIPAA-level
encryption on his or her end. The Privacy Rule recognizes this
near-impossible requirement and grants patients access to
ePHI in the format that they wish to receive it (i.e., unencrypted
email).
Page 8
