How the HIPAA Omnibus Final Rule Applies to E-mail Communication with Patients

The Omnibus Final Rule was introduced at the start of the year and covered organizations – which now include business associates and their subcontractors – now need to update procedures and policies to comply with the new regulations if they have not already done so. The deadline for compliance with the new rule is September 23, 2013 and any covered entity found not to have implemented the required changes after this date could incur a financial penalty up to $1.5 million.

The new changes have been criticized by some members of the healthcare community; however the changes are necessary in order to improve the rights of patients to access their medical data. The Omnibus Rule now allows them to have much greater autonomy and make decisions about how their medical information is communicated to them.

If a patient is comfortable receiving information via E-mail this has previously presented a problem for healthcare companies. E-mails can be intercepted, the emails are often stored unsecured servers – where they can remain indefinitely – and there is no guarantee that the intended recipient will be the only person to read the E-mail. Sending unencrypted E-mails containing PHI would violate HIPAA regulations.

However under the new rule, patients are able to be sent unencrypted E-mails containing their PHI if they so wish, provided that they have been informed of the risks. If a healthcare provider explains to the patient that E-mail is not totally secure and there is a chance that their data could be viewed by other people the patient can be sent E-mails. Patients are permitted to take risks with their own data. Healthcare organizations are not.

Should any patient elect to receive unencrypted E-mails it is strongly advisable to have the authorization in writing. While this is not stated explicitly in the legislation as being mandatory, it would be unwise to send any PHI without having documentation to prove that the patient has been informed of the risks. Permission must be obtained prior to sending the E-mail. It is still not permitted to send E-mails under an opt-out policy. Patients must opt-in to receive electronic communications.

To what extent do the risks need to be explained? According to a statement issued by the DHSS in 2013, “We do not expect covered entities to educate individuals about encryption technology and the [sic] information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party.”

It is important for healthcare organizations to be familiar with State laws on E-mail containing PHI. HIPAA makes some provision for E-mail communication, although some States impose tougher restrictions to control the release of patient data. State laws will apply when they increase the protection offered under HIPAA, with the Omnibus Final Rule considered to be a minimum national standard only.

It should be borne in mind that regardless of what a patient requests, electronic communications must not be sent unless a business agreement is in place with the provider of the service. Under the Omnibus Rule, all business associates must agree to comply with HIPAA Privacy and Security Rules and a business agreement must be signed. If no current business agreement is held, a message containing PHI that is sent to a patient via Skype, for example, would be a HIPAA violation even if the patient knew the risks and signed a document to that effect prior to the message being sent.

The new rule may not be the easiest to implement and it could have considerable cost implications for some healthcare organizations; however the legislation is necessary to ensure patient data is properly protected and patients should be allowed to make decisions about their data and be given greater access if required.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.