Keep Your Practice Email Compliant

072915 Uh Oh

When setting up a new email address or username, isn’t it interesting how many names are already taken? For this reason, it is entirely possible an email could be sent to the wrong recipient; all it takes is typing one additional letter or one additional number to send an email to the wrong recipient. For example, may be a different person than Also, many email programs come preset with auto-fill features where you begin typing an email address and the program remembers any previous email address that start with those same letters or characters. This auto-fill feature has led to many accidental emails being sent to the wrong recipient.

If patient information is sent to the incorrect person, or a message is intercepted, it could be a breach under HIPAA and possibly, state laws.

Prepare for the unexpected

In our previous post, we discussed the use of a disclaimer notifying the recipient of the insecurity of electronic communications, and provided instructions in case of a misdirected message. In addition to a disclaimer, there are other steps you can take.

  1. Have patients sign an agreement that they have agreed to receive electronic communications, such as email or facsimile.
  2. Include in the signed agreement an explanation of potential risks to patients. State that their information could be intercepted or received by the wrong party, to ensure patients understand the risks and still agree to receive electronic communications.

Further, as a result of HIPAA Omnibus Rule, covered entities must assess the probability that protected health information has been compromised based on a risk assessment that considers at least the following four factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.
  2. The unauthorized person who used the protected health information or to whom the disclosure was made.
  3. Whether the protected health information was actually acquired or viewed.
  4. The extent to which the risk to the protected health information has been mitigated.

What if you breach an individual’s PHI?

If you determine that a breach has, in fact, occurred, you must notify the affected individual(s) in writing of the breach. It is appropriate and expected to notify an individual if it is suspected their PHI has been viewed, intercepted or received by unauthorized recipients.

The HITECH Act provides for both actual written notice to affected individuals, as well as substitute notice to affected individuals if contact information is insufficient or out-of-date. The statute requires breach notifications to be sent by first-class mail at the last known address of the individual or next of kin if the individual is deceased, or by electronic mail if specified as the preferred method by the individual.

It is extremely important to make sure you have the correct mailing address and correct email address, including the correct spelling.

What needs to be provided when notifying an individual of a breach?

Using Omnibus as a guide, the following are required to be included in a breach notification:

  1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
  2. A description of the types of unsecured protected health information that were involved in the breach.
  3. Any steps individuals should take to protect themselves from potential harm resulting from the breach.
  4. A brief description of what the covered entity involved is doing to investigate the breach, mitigate the harm to individuals, and to protect against any further breaches.
  5. Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, Web site, or postal address.

Healthcare Compliance Pros is a terrific resource for additional information on this topic! Check out more resources here:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: