Email has become an important mode of communication for business operations, with approximately 100 billion business emails sent in 2013 alone. Included in these messages are patients’ personal and health information, such as test results, diagnoses, and social security numbers. The Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regulate the transmission of this sensitive information, known as protected health information (“PHI”), by Covered Entities, and in some circumstances, Business Associates.
Covered Entities are generally health plans, health care providers who engage in certain health care transactions electronically, and health care clearinghouses. Business Associates are persons or entities that provide services to or for a Covered Entity, and as part of providing those services, receive or have access to PHI from or on behalf of the Covered Entity. Business Associates can include accountants, auditors, and lawyers.
Importantly, neither the HIPAA Privacy nor Security Rules specifically prohibit the use of email to transmit PHI. Determining when and under what circumstances to disclose PHI in emails is an ongoing struggle for businesses both large and small. Angela T. Burnette and Swathi Padmanabhan, both of Alston & Bird LLP, have compiled practical guidance to help inform such decision making. Indeed, their recently published article in the American Health Lawyers Association’s Connections magazine, entitled “Tips and Tactics for Transmitting PHI by Email” addresses, among other things:
- Alternatives to and strategies for transmitting PHI by email;
- Disposal of emails containing PHI; and
- Lessons learned from recent email breaches that were reported to the Department of Health and Human Services (“HHS”).
The full article can be accessed here. For more questions, or for assistance with HIPAA compliance, please contact Angela Burnette at email@example.com or Swathi Padmanabhan at firstname.lastname@example.org.