Page 17 - Part 1 Navigating Electronic Media in a Healthcare Setting
P. 17
SVMIC Navigating Electronic Media in a Healthcare Setting
places the burden on the provider or healthcare entity. Breaches
require written notice to the patient, online reporting to the
government, and in some cases, notice to the local media.
However, according to HHS, encrypted ePHI is considered secure
and, therefore, not subject to the breach notification requirements,
thus creating a “safe harbor.”
As mentioned above, the word “encryption” is used frequently
when discussing ePHI. Every covered entity should be
communicating ePHI internally using encryption technology. This
usually doesn’t present a problem because intra-organizational
communication is quite easy to keep secure since the entity
controls both ends of the communication.
However, if you want to use encrypted emails when
communicating with a patient, it can be much more complicated.
While a covered entity can encrypt its end of the email transport, it
is difficult to ensure the security of the email once it leaves the
organization’s server. In order for completely encrypted email
communication to be achieved, the patient would need to use an
email service that supports HIPAA-level encryption on his or her
end. The Privacy Rule recognizes this near-impossible requirement
and grants patients access to ePHI in the format that they wish to
receive it, i.e. unencrypted email. This will be discussed in greater
detail later in this course.
Because encryption is a safe harbor for notification, it makes sense
to encrypt PHI that is transmitted by email. Be warned that the use
of most, if not all, free email services for communicating ePHI is not
HIPAA-compliant.
The first issue is that free services typically do not provide the
ability to encrypt the message. Even if an encrypted email is sent
Page | 17
