Page 19 - Part 1 Navigating Electronic Media in a Healthcare Setting
P. 19
SVMIC Navigating Electronic Media in a Healthcare Setting
she understands that the email is not secure and may be
accessible by unauthorized individuals before the PHI can be
emailed to the patient. If, however, the patient does not specifically
request that his or her PHI be delivered by email and does not
acknowledge in writing his or her understanding that the email is
unsecure, PHI may not be sent by unencrypted email.
Most practices have patients fill out various forms for insurance,
medical history, consent for insurance payment, etc., at a single
sitting when the patient is first accepted as a patient or presents
for an appointment. It is not recommended that consent for
authorization to send PHI by email be included in a packet of
forms. A consent for authorization to send PHI by email should be
provided individually to the patient. A blanket-type form signed by
all patients permitting the transmittal of PHI by unencrypted email
would most likely not meet the HIPAA requirements. Once a
separate written request has been made by a patient, the provider
must keep a record of this acceptance. This is commonly referred
to as an opt-in agreement.
Best practices for email include identifying the use of email in the
Security Risk Analysis, end-to-end encryption for email, execution
of HIPAA-compliant business associate agreement with the email
provider, office policies on the use of email, training of staff and
personnel regarding policies and receiving written consent and
acknowledgement from patients before communicating with them
via email. When in doubt, seek legal and/or professional IT advice
on HIPAA compliance and email.
1
1 AMA Guidelines for Patient-Physician Electronic Mail H-478-997; https:\\www.ama-assn.org
Page | 19
