Page 18 - Part 1 Navigating Electronic Media in a Healthcare Setting
P. 18
SVMIC Navigating Electronic Media in a Healthcare Setting
to the wrong person, the person who received it should,
theoretically, not be able to access the information. As discussed
above, unencrypted email does not provide a safe harbor, and the
presumption is that any unauthorized disclosure is a breach.
The second issue is that the email provider may not be willing to
execute a Business Associate Agreement (BAA). A business
associate is a third party who provides a service to or on behalf of
a covered entity that involves the use or disclosure of PHI. If PHI is
being emailed, the email provider would be considered a business
associate, and a BAA is required. Using a third party for services
that involve PHI without a BAA in place is considered a violation of
HIPAA. When a Business Associate relationship is formed, the third
party assumes similar liability as that of the provider/healthcare
entity, and with this assumption of liability, the third party faces
penalties for a HIPAA breach. It is highly unlikely that a third party
email service provider would be willing to assume that level of risk
and penalties for free.
As an alternative to using free email services, there are secure
web-based email services that understand HIPAA and are willing
to provide BAAs. For example, Google provides a secure email
service through its paid offering for businesses and will provide
healthcare practices with a HIPAA-compliant BAA. Another option
is to utilize an on-site email server that can be encrypted and
managed locally by either an IT company or IT staff.
As stated earlier, the Privacy Rule allows patients to request that
PHI be transmitted in any format they wish, including by email. If
such a request is made, the provider must accommodate the
request even if encryption is not available. The provider must inform
the patient, and the patient must acknowledge in writing that he or
Page | 18
