“I read an article on the Internet that says I will be fined lots of money if I email my patients,” Dr. Oliver Oldschool griped over the phone to his personal lawyer. “Is that true?” he asked.

“Well, I am glad you do not believe everything you read on the Internet,” the lawyer responded with a bit of sarcasm. “Email is a little tricky because of HIPAA, and you just need to be careful,” he elusively added.

“Seriously? What do you mean by careful?” the physician quizzed. “Why can’t you lawyers tell me anything straight up without waffling legalese?” he puffed.

“My apologies, Dr. Oldschool, let me explain more clearly,” said the lawyer with a quieter professional tone.

The gist of the above dialogue is a frequent conversation in health care compliance work: As a health care professional, am I allowed to use email including unencrypted email? The short answer is, of course you can, but the caveats and longer answer cause a lot of frustration among providers, patients, and the messengers of the information.

Participants in the health care industry started asking questions about the proper use of email communication with patients because of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (more specifically its detailed rules that followed years later). The rules regarding privacy protections for a patient’s protected health information (PHI) came online in April 2003 and the more relevant rules for security protections (for electronic communications like email) came online in April 2005.

So why the frustration? Well, in the early days of HIPAA compliance (yes, there is now HIPAA history), the concept of securing emails containing PHI was considered an “addressable” versus a “required” standard. Required is a little obvious, and that means, yes, you have to do that. But, what addressable means has not been so obvious. Notably, addressable does not mean the standard is optional. Addressable does mean that you have to evaluate whether it is reasonable and appropriate for that particular provider to comply with the standard. If not, and if no other alternative standard works, the provider needs to document its evaluation and reasons for not being able to comply with the standard.

To this day, the use of encryption, and hence, the use of encrypted or unencrypted email as a method of communicating with patients, remains addressable. But (yes, a caveat), the law has changed and the industry has changed since April 2005.

On the legal side, we now have the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) that dramatically increased penalties for HIPAA non-compliance and breach situations. Like it or not, any time a regulatory enforcement scheme steps up investigative activity and financial penalties, the legal risk to those that have to comply with the scheme increases as well.

Also on the legal side, the standards a provider has to follow in analyzing breach situations have become more relevant. For example, the use of encryption technology acts akin to a safe harbor if communications such as email containing PHI are ever inappropriately intercepted. That is, if emails are encrypted and someone tries to gain unauthorized access to those emails, according to those that make the laws, those hacking attempts would not be considered breaches because the risk is so low that anyone could decrypt those emails. The theory is that encryption, if done correctly, renders PHI unusable, unreadable, or indecipherable. The bottomline is that using encryption greatly reduces legal risk for the provider.

On the industry side, the cost and barriers to using encryption technology slowly have come down to more reasonable levels (although there is a lot of work that still could be done to provide easier cost-effective access to the technology). Patients too play a role on the industry side, and many patients expect to be able to communicate with their provider 24/7/365.

Email communication is a useful and pretty much necessary business tool. In the clinical setting, however, providers should apply a huge dose of common sense to the process of sending and receiving email that contains PHI.

First, regardless of encryption, providers should be asking patients to acknowledge the use of email as a communication tool especially if PHI will be included, and verify (yes, preferably in writing) that the patient is okay with the use of email. If there is an informed choice by the provider not to use encryption, the patient should be advised of that risk and specifically asked to acknowledge that risk. Notably, the Office for Civil Rights (OCR) has commented about patients being informed of the risks regarding unencrypted email. See 78 FR 5634; see also OCR FAQ 570.

Second, everyone involved with email, both provider and patient, really needs to understand that emails: (a) effectively last forever on those servers in cyberspace; (b) can appear in multiple local locations like computer or tablet hard drives; and (c) might be accessed by more than just the provider and the patient (e.g., spouses, children, etc.). These unfortunate factoids about email should give providers pause to limit use of email if the email includes sensitive medical information such as test results or treatment options for serious diseases. Better yet, limit access to the PHI itself either through encryption or patient portals where the information stays put in one place and simply is viewed by the provider and patient.

While Dr. Oldschool has every right to be frustrated with his lawyer’s lack of clarity and with a regulatory scheme that is massive and confusing, he just needs to follow the old rule of thumb: Make decisions about safeguarding medical information for patients as though it is your own.

See OCR HIPAA Comments (Page 5634)

http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

See OCR FAQ

http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html