Emails between providers need to be HIPAA compliant when they contain Protected Health Information. In such cases, communications must be for a purpose permitted by the HIPAA Privacy Rule, must comply with the minimum necessary standard when applicable, and must be sent over a HIPAA compliant email service – unless an exception applies.
Providers need to communicate with each other for multiple reasons. Some communications may be to pass on research data, some may be to discuss forthcoming medical conferences, and others may be to organize a round of golf. When providers discuss patient information with each other, communications are most often conducted via an EHR or other referral software.
However, when providers discuss patient information with each other via email for a permitted purpose, the emails between providers need to be HIPAA compliant – unless an exception applies. This article discusses the HIPAA requirements for provider-to-provider communications that contain PHI, the conditions for HIPAA compliant email, and some of the exceptions that may apply.
Permitted Disclosures of PHI
The HIPAA Privacy Rule generally permits disclosures of PHI between providers for treatment, payment, healthcare operations, and any other purpose for which an authorization or opportunity to agree or object is not required (§164.512). Exceptions exist when a patient has requested privacy protections or the disclosure in not permitted by §164.502(a)(5) – for example, to investigate a colleague who may have facilitated reproductive health care.
Other than when disclosures of PHI are for the treatment of a patient, are required by law, or are authorized by the patient being discussed, emails between providers must comply with the minimum necessary standard. Consequently, if two providers are exchanging views on patient safety activities and the quality of healthcare delivery by email, the PHI disclosed in the emails must be limited to the minimum necessary to achieve the purpose of the disclosure.
In some circumstances, it may also be necessary for a Business Associate Agreement to be in place in order for emails between providers to be HIPAA compliant. These circumstances include when there is no existing treatment relationship between the patient and one of the providers, and when one of the providers does not qualify as a HIPAA covered entity because they do not conduct HIPAA-regulation healthcare transactions electronically.
HIPAA Security Rule Considerations
In most cases, the HIPAA Security Rule considerations for when emails between providers need to be HIPAA compliant are the responsibility of HIPAA covered entities for who providers work. Therefore, deploying an email service that supports HIPAA compliance, entering into a Business Associate Agreement with the service vendor, and configuring the service to comply with standards relating to access controls, audit logs, etc. is not the responsibility of the provider.
Sole practitioners and providers who share responsibility for HIPAA compliance in a small practice need to be aware of applicable Administrative, Physical, and Technical Safeguards, and ensure the Safeguards are implemented in accordance with the General Requirements (§164.306(a)). These require that any measures implemented to comply with the HIPAA Security Rule protect against reasonably anticipated disclosures of PHI not permitted by the HIPAA Privacy Rule.
In the context of when emails between providers need to be HIPAA compliant, this may mean assigning unique user authentication, developing emergency access procedures, and ensuring audit logs to monitor activity in users’ email accounts are activated. Depending on the email service’s default encryption standards, it may also be necessary to upgrade the encryption standards or subscribe to a secondary service to comply with the HIPAA encryption requirements.
Exceptions to when Emails Between Providers Need to be HIPAA Compliant
Disclosures of PHI via a HIPAA compliant email service must be consistent with the content of the HIPAA covered entity’s Notice of Privacy Practices. The Notice of Privacy Practices not only explains to patients how their PHI may be used or disclosed, but it also lists patients’ rights under HIPAA. One significant right that could create an exception to when emails between providers need to be HIPAA compliant is the right to direct PHI to another provider.
Under the right to direct PHI to another provider, a patient can stipulate the format in which PHI is directed from one provider to another. If a patient stipulates that PHI is transferred from one provider to another provider by email, and one or both of the providers does not use a HIPAA compliant email service, the right to direct PHI to another provider supersedes the requirement for emails containing PHI between providers to be HIPAA compliant.
Other less likely exceptions to when emails between providers need to be HIPAA compliant include emergency events – either when an EHR or other referral software experiences an outage and it is necessary for providers to communicate via a non-compliant service, or when HHS’ Office for Civil Rights announces a limited HIPAA compliance waiver during a public health emergency (although this is more likely to be a Notice of Enforcement Discretion).
HIPAA covered entities and providers who work for them need to be aware of these exceptions – particularly the right to direct PHI to another provider via a non-compliant email service – to avoid individuals denied their HIPAA rights filing complaints with HHS’ Office for Civil Rights. HIPAA covered entities and providers who need more information about when emails between providers need to be HIPAA compliant are advised to seek independent compliance advice.