And why a Business Associate Agreement won't protect you

BY: Staff Writer, PREFERRED Therapy Providers, Inc. 

Sending an email used to be a lot simpler. Type your message, address it to the recipient and then hit “send”. Done, over with, finished. Email is a wonderful communication tool and we tend to take it for granted. We also take for granted that the emails we send will arrive safely in the inbox of the intended recipient. But what if they don’t?

There could be a number of reasons that emails end up in the hands of the wrong person. Perhaps in your haste, you entered a similar email address but not exactly the right one, maybe leaving out a letter or a number; thus sending the information to a complete stranger. Or maybe the intended recipient was out of the office for the week and emails were being forwarded to someone else. Or a system could have been hacked. It probably wouldn’t be too bad if the email didn’t contain anything sensitive, embarrassing, financial, or personal. But what if it did? And what if the information in that email ended up being read by someone who should not see it or would maliciously use that information to their advantage? 

As healthcare professionals, we are the caretakers of a tremendous amount of information, much of which is about the patients we serve and is personal and private in nature. Healthcare providers and business associates are accountable to a higher standard when it comes to protecting this information. That’s why sending protected patient health information by email can get you into trouble – unless of course you send it in a HIPPA-compliant way.

WHAT IS PROTECTED HEALTH INFORMATION? – Commonly known as PHI and e-PHI (for electronically transmitted information), Protected Health Information is any information that identifies an individual and provides information about their healthcare. The HIPAA Privacy Rule is the federally mandated ruling requiring the protection of PHI and e-PHI when it is stored or transmitted by a covered entity. Covered entities include healthcare providers, hospitals, networks, payers, clearinghouses, prescription, dental, mental health coverage, Medicare and Medicaid. PHI is the information obtained from a patient that can be used to identify them including social security numbers, name, address, phone number, insurance ID, beneficiaries, EOBs, diagnosis, treatments and medications, to name a few. For a quick, 30-minute overview of PHI/e-PHI check out this resource.

HIPAA REGULATIONS AND EMAIL – The US Department of Health and Human Services (HHS) is the government regulatory arm for HIPAA. The HHS website provides detailed information about sending PHI in an email. And although not specifically prohibiting the use of email for sending PHI, covered entities are required by law to implement appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This is not merely assuring that your email server is secure or that you have a firewall. This means that covered entities must document a policy that includes assessing use of open networks and identifying the solution that will be used to ensure protection of PHI email transmissions. Furthermore, ensuring the integrity of the information means that the transmitted information must be protected from being altered. When it comes to health care providers communicating with patients, the HIPAA Privacy Rule does allow for electronic communications such as email, but only provided that the covered entity applies reasonable safeguards when doing so.

While the rule does not specifically say that email encryption is a requirement, encryption would certainly rank as a top affordable and attainable solution to the safeguards HHS requires to ensure that PHI is protected.

WHAT IS EMAIL ENCRYPTION? – According to this resource, email encryption disguises the content of an email message to protect sensitive information from being read by anyone other than the intended recipient and may also include an authentication process. So when you send an email containing PHI to a patient, a covered entity or a business associate, it should be sent via email encryption. Otherwise, you risk being penalized by HHS for failure to protect patient information.

HOW DO I FIND EMAIL ENCRYPTION SOFTWARE? – There are several choices for finding encryption software for your emails. You can request a free reference sheet that provides a list of encryption services (for reference only – we do not endorse any particular software). Encryption software prices vary, so be sure to shop around and ask questions. Additionally, a Google search using the terms, “email encryption service healthcare” will generate several options. 

WHY A BAA WON’T PROTECT YOU – A signed Business Associate Agreement (BAA) with a vendor, network, payer, clearinghouse or other partner does not mean that you can share or send PHI to them without ensuring that the safeguards mandated by the HIPAA Privacy Rule are met. A BAA simply means that permission has been granted to disclose protected health information to the partner in its role as a business associate. It does not mean that you can send PHI by regular email. Never send unencrypted patient information to a business associate. Furthermore, always be certain that you have a current HIPAA business associate agreement in place with each partner to assure compliance.

TOP TAKEAWAYS TO IMPLEMENT NOW – Here are the top takeaways you can implement now to be sure that your healthcare practice complies with the HIPAA Privacy Rule:

  • Don’t put off finding encryption software. The benefits of an encryption service far outweigh the penalties and violations you could pay without it.
  • Secure emails by encryption and create a written policy on how emails that contain patient information must be sent. Educate your staff and enforce your policy.
  • Never send unencrypted emails to other health care providers, payers, networks, vendors or others.
  • Make sure that you have a signed, current Business Associate Agreement before disclosing PHI.
  • Be sure that your EHR software has secure patient portal functionality with a secure browser so that you can communicate securely with patients. Make sure that you have a patient’s written consent to send them secure emails.

 

This article is brought to you by PREFERRED Therapy Providers, Inc. PREFERRED connects its growing national network of physical, occupational and speech therapy providers to health plans and benefit administrators by providing a centrally managed, single-source contract procurement service, credentialing, claims denial intervention assistance, and practice building resources.