Healthcare organizations and their business client are facing fines for non-compliance following the introduction of new regulations which secure the privacy of patients and the security of their personal information.
The Omnibus Final Rule was passed earlier this year and covered organizations were required to update procedures and policies and adhere with the new regulations by September 23, 2013.
The new amendments have been criticized by some members of the healthcare community; however the alterations expand patient rights and allow them to have improved autonomy and make decisions about how and what is communicated to them and the channels that can be used.
If a patient is happy receiving information via E-mail, they are allowed to continue to use that medium to broadcast with their healthcare providers or care team and information can be issued by healthcare professions to patients provided that they have been made aware of the risks. If it is explained that the medium is not completely secure and there is a chance that their data could be viewed by other people and they accept the dangers, sending PHI via unencrypted E-mail would not violate any HIPAA regulations. Patients are allowed to take risks with their own data. Healthcare organizations do not have the same rights.
Should any patient decide to receive unencrypted E-mails it is vital that authorization is obtained in writing, clearly stating the risks have been outlined. While this is not stated explicitly in the legislation as being required, it would be unwise to send any PHI without having documentation to show that the right questions have been asked and the patient understands that there are dangers.
To what degree do the risks need to be explained? According to a statement released by the DHSS in 2013, “We do not expect covered entities to educate individuals about encryption technology and the [sic] information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party.”
While E-mails are permitted and are even referred in the context of sending PHI to patients as requested, permission must be received prior to sending the E-mail. It is still not allowed to send E-mails under an opt-out policy. Patients must choose to opt-in to receive Electronic communications.
State laws should also be reviewed, as while HIPAA may make some provision for E-mail communication, individual States may pass tougher restrictions to control the release of patient data. State laws will apply when they improve the protection offered under HIPAA, with the Omnibus Final Rule considered to be a solely minimum national standard.
It should remembered that regardless of patient requests, any media used to broadcast PHI can only be chosen if a business agreement is in place with the supplier of the service. Under the Omnibus Rule, all business associates must sign an agreement and agree to adhere with HIPAA data privacy and Security Rules. A message containing PHI sent to a patient via Skype, for example, would be a HIPAA breach even if the patient knew the dangers and signed a document to that effect prior to the message being sent if no current business agreement is present.
The new rule may not be the easiest to enforce and it may have sizable cost implications for healthcare organizations; however the legislation is necessary to ensure patient data is properly secured. The new Rule also clarifies communications of electronic PHI and gives patients much enhanced rights of access to any data stored on them.