HIPAA: Issues of Health Information Privacy and Security
By Bryan Bailey, Esq., Tory McJunkin, MD, Paul Lynch, MD, & Edward Swing, PhD
Dear Arizona Pain Specialists:
My group emails appointment reminders to patients and we are considering emailing test results and other treatment information to patients. Are there any HIPAA issues we should be concerned about?
Emailing in the Dark
Dear Emailing in the Dark:
Yes, if your practice is a covered entity under HIPAA, emailing a patient or emailing patient information implicates both the HIPAA Privacy and Security Rules. The content of the email, including the patient’s email address, constitutes protected health information (PHI).
The first question you always have to ask yourself before you disclose PHI, whether via email, telephone or in person, is whether the disclosure is permitted by the Privacy Rule. Thankfully for you, disclosures for treatment purposes are always permitted. However, the second question is how much PHI you need to disclose, since the Privacy Rule requires the PHI disclosed to be the minimum necessary for the disclosure. For example, if you’re emailing an appointment reminder to a patient, the minimum PHI necessary for the disclosure would probably be the date, time and location of the appointment. Including the purpose of the appointment (e.g., follow up appointment regarding your lumbar epidural) probably would not comply with the minimum necessary requirement.
Next, the Privacy Rule requires your practice to implement safeguards to protect PHI from intentional and unintentional disclosures that violate the Privacy Rule. In addition, since PHI sent via email is in electronic form, it constitutes electronic protected health information (ePHI) and is subject to the Security Rule – the Security Rule only applies to ePHI. Generally speaking, the Security Rule requires your practice to analyze and implement technical, physical and administrative safeguards to protect the confidentiality, integrity and availability of ePHI. In layman’s terms, this means you need to make sure you have done everything you can to make sure no one other than the patient accesses the email!
Earlier this year, the Office for Civil Rights (OCR), the government agency that enforces the Privacy and Security Rules, entered into a Resolution Agreement and Corrective Action Plan with a small physician practice who OCR believed violated the Privacy and Security Rules. The information in the Agreement and Plan are telling regarding OCR’s interpretation and enforcement of these Rules.
For example, one of the ways in which OCR believed the group violated the Rules was that the group’s employees emailed ePHI amongst themselves. Specifically, the Agreement states that the group “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI held by the” group. In addition, the group’s employees used Internet-based public email providers (e.g., Yahoo!, Hotmail, Gmail, etc.) to email the ePHI. The Agreement states that the group permitted these providers “to receive, store, maintain and transmit ePHI on the
Among other things, the Corrective Action Plan requires the group to perform a risk assessment of all of its ePHI and implement a “risk management plan that implements security measures sufficient to reduce risks and vulnerabilities to ePHI identified by the risk assessment….” The Plan also requires the group to ensure that all “ePHI transmitted over an electronic communications network” is “encrypt[ed] or otherwise adequately safeguard[ed]” against unauthorized access. Incidentally, the Plan requires the group to “submit evidence to satisfy this obligation that includes text messaging of ePHI.” In other words, the Plan requires all of the group’s emails and text messages containing ePHI to be encrypted!
In addition to complying with all of the obligations in the Plan, the group paid OCR $100,000 to resolve the matter. That may seem like a lot (and it is), however, OCR could have imposed significantly higher financial penalties.
In summary, it would be wise for your practice stop emailing any ePHI for any purpose until it has confirmed its compliance with the Privacy and Security Rules. Based on the aforementioned Resolution Agreement and Corrective Action, if your practice hasn’t performed a risk assessment and implemented a risk management plan, which includes encryption of all ePHI that is emailed or texted, or if your practice’s employees use internet-based email providers to email ePHI and the practice does not have Business Associate Agreements in place with these providers, it is fair to say that you won’t be in compliance with OCR’s interpretation of the Rules.
Arizona Pain Specialists
Dear Arizona Pain Specialists:
One of our MAs had written patient records that she was transporting between offices stolen from her car. Do we have to notify the patients whose records were stolen – we’d rather not?
Desperately Seeking Records
Dear Desperately Seeking Records:
Your story is all too common…And preventable!
The short answer is, probably. And, if you must notify the patients whose records were stolen, you also must notify OCR. Moreover, if more than 500 patients’ records were stolen, then you also must notify the media in your area.
The Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which was passed in 2009 as part of the economic stimulus legislation, provides grants to physicians who implement certified electronic health record systems and satisfy the meaningful use criteria. The Act also requires covered entities to notify patients, OCR and, possibly, the media when there is a breach of “unsecured protected health information.”
A breach occurred if the stolen patient records contained information that presents “a significant risk of financial, reputational or other harm to the” patients. For example, if the records contained patients’ names, dates of birth, social security numbers and addresses, this would present a significant risk of financial or other harm to the patients. Moreover, if the records contained sensitive or potentially embarrassing medical information, then there would be a significant risk of reputational or other harm.
The HITECH Act contains certain exceptions to the breach definition that, if applicable, would not require notice. Unfortunately, none of those exceptions are applicable to stolen patient records. However, even if there was a breach, you would not have to provide notice unless the patient records constitute “unsecured PHI.”
“Unsecured PHI” is PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary [of the Department of Health and Human Services] in guidance issued under [the HITECH Act] on the HHS Web site. Since the patient records were written records, they were usable, readable or decipherable to whoever has them. Consequently, they constitute “unsecured PHI.”
The HITECH Act requires you to document your breach analysis and the commentary to the regulations implementing the HITECH Act identify a number of factors that should be considered. Make sure your analysis includes these factors!
If you determine that a reportable breach occurred, you must notify the affected patients as soon as reasonably possible, but not later than 60 days, after the date you discovered the breach and notify OCR within 60 days following the end of the calendar year. If you must notify patients, the notice must be written in plain language and, to the extent possible, include the following:
□ A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
□ A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
□ Any steps patients should take to protect themselves from potential harm resulting from the breach;
□ A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to patients, and to protect against any further breaches; and
□ Contact procedures for patients to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website or postal address.
The patient notice must be sent to the patient via first class mail to the patient’s last known address or, if the patient agreed to electronic notice and the agreement has not been withdrawn, via email. If additional information comes available, the information may be provided in more than one mailing, as the information becomes available. If there is insufficient or out-of-date contact information that precludes written notice, you must provide a substitute form of notice as specified at 45 C.F.R. § 164.404(d)(2). If you believe there is a possibility of imminent misuse of a patient’s unsecured PHI, you may provide the required information via telephone.
With respect to the notice to OCR, the notice must be submitted electronically via a breach report form which is available on OCR’s website:
Arizona Pain Specialists
Dear Arizona Pain Specialists:
Our practice wants to include patient testimonials on our website. Are there any issues we should be aware of beforehand?
Dear Testimonially Naïve:
Patient testimonials are a great thing; they’re also PHI. Consequently, even if a patient consents to posting a testimonial, you should not do so unless the patient executes a HIPAA-compliant Authorization that expressly authorizes the practice to disclose the patient’s PHI. Since the HIPAA Privacy Rule generally prohibits indefinite Authorizations, you will need to make sure you have a policy and system in place to get an updated Authorization as previous Authorizations expire.
In addition, since your testimonials will identify the patient in some way, it is a good idea to have the patient sign a separate consent documenting the patient’s consent to use them and their statements for promotional purposes. Otherwise, the practice risks a patient claiming it not only violated the patient’s right to privacy but their intellectual property rights.
Arizona Pain Specialists
Bryan Bailey is an attorney at Milligan Lawless, P.C. specializing in health care law and business transactions. Dr. Lynch and Dr. McJunkin own and operate Arizona Pain Specialists, a comprehensive pain management practice that provides minimally invasive, clinically proven treatments, with three locations in the greater Phoenix area. Dr. Lynch and Dr. McJunkin also provide consulting services to other pain doctors around the country through their partner company, Boost Medical. For more information, visit ArizonaPain.com and BoostMedical.com.