2013 HIPAA Modifications Say It's OK To Use Unencrypted Email IF...
2013 HIPAA Modifications Simplify Unencrypted Email Useby Jim BloedauThe 2013 modification to the HIPAA rules allow forcovered entities to send individuals unencrypted emails ifthey have advised the individual of the risk, and theindividual still prefers the unencrypted email. A searchof the language in the updated regulations did notproduce any mention of texting, SMS, remotemonitoring, telehealth or use of video .The upside is that the feds did allow some free choice byincluding the patient in the decision to use plain oldunencrypted email if they so choose. The downside isthat the regulations stopped short of extending that rightto choose to any of other popular and rapidly becoming commonplace ways of communicating andextending care to a remote patient. We know that it is a short jump to include forms of texting, SMS,remote monitoring or use of video in the administration of care and that it is being done by a fewproviders who are willing to take the security risk. As once said, the best form of delivering care iscommunication. Does the approval of unencrypted email in the need guidelines open the door toincreasing the number of providers and patients willing to communicate with email? How about greaterpatient engagement?Here’s the verbiage from the regulations or you can go to the link and search the document using thetools in your browser. The last sentence below is the important one.“Comment: Several commenters specifically commented on the option to provide electronic protectedhealth information via unencrypted email. Covered entities requested clarification that they are permittedto send individuals unencrypted emails if they have advised the individual of the risk, and the individualstill prefers the unencrypted email. Some felt that the “duty to warn” individuals of risks associated withunencrypted email would be unduly burdensome on covered entities. Covered entities also requestedclarification that they would not be responsible for breach notification in the event that unauthorizedaccess of protected health information occurred as a result of sending an unencrypted email based on anindividuals request. Finally, one commenter emphasized the importance that individuals are allowed todecide if they want to receive unencrypted emails.Response: We clarify that covered entities are permitted to send individuals unencrypted emails if theyhave advised the individual of the risk, and the individual still prefers the unencrypted email. We disagreethat the “duty to warn” individuals of risks associated with unencrypted email would be undulyburdensome on covered entities and believe this is a necessary step in protecting the protected healthinformation. We do not expect covered entities to educate individuals about encryption technology and theinformation security. Rather, we merely expect the covered entity to notify the individual that there maybe some level of risk that the information in the email could be read by a third party. If individuals arenotified of the risks and still prefer unencrypted email, the individual has the right to receive protectedhealth information in that way, and covered entities are not responsible for unauthorized access ofprotected health information while in transmission to the individual based on the individuals request.Further, covered entities are not responsible for safeguarding information once delivered to theindividual.”