It depends upon what you are emailing. If you are sending PHI, yes, you should encrypt. If you are sending records, you can easily encrypt through Winzip. Your other option is to put the document on a secure server that is encrypted. There are any number of google drive, godaddy service, dropbox, and others. Window 7 and 10 have included full drive encryption on the software. You can do a pdf and encrypt it. You can encrypt CD’s, and there are encryptable USB drives, if you wish to send electronic Protected Health Information. One thing to consider is that faxing is not considered an electronic communication under HIPAA, therefore the security regulations do not apply to it. Faxing information is considered a secure way to transmit ePHI, though it is not infallible (e.g. faxing PHI to the wrong party).
No, faxing does not make you a Covered Entity (CE). However, as noted, you may be subject to other regulations around the privacy and security of PHI.
Under the regulations, clients have the right to request alternate methods of communication. If the client requests to communicate through text messages, you should explain the risks, and have them acknowledge the risks and sign permission for the alternate form of communication. If a patient texts you, it is reasonable to assume that they understand the risks, but additional explanation of potential risks is prudent.
If text messages are being sent between two providers, and they contain protected health information (PHI), the texts need to be encrypted. If a text is sent that is nebulous such as “your 4:00 canceled,” you do not need to encrypt.
You want to look at the quality of credentials of the consultant, company, or author. Many people claim expertise and either do not have credentials, or have done a few hours of training. Certain credentials require a rigorous exam, much like a licensing exam. The following are excellent credentials:
| ORGANIZATION | CERTIFICATION |
|---|---|
| American Health Information Management Association (AHIMA) | Certified in Healthcare Privacy and Security (CHPS) |
| Healthcare Information and Management Systems Society (HIMSS) | Certified Associate in Healthcare Information and Management Systems (CAHIMS) Certified Professional in Healthcare Information and Management Systems (CPHIMS) |
| Information Systems Audit and Control Association (ISACA) | Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM) Certified in Risk and Information Systems Control (CRISC) Cybersecurity Nexus (CSX Certificate) & (CSX-P Certification) |
| (ISC)² (Inspire,Secure,Certify) | Certified Information Systems Security Professional (CISSP)Certified HealthCare Information Security and Privacy Practitioner (HCISPPsm) |
| International Association of Privacy Professionals (IAPP) | Certified Information Privacy Professional (CIPP) |
This is a common question; We all must take common sense steps to keep patient information private. This includes privacy, but also security of electronic PHI.
It depends upon what you are emailing. If you are sending PHI, yes, you should encrypt. If you are sending records, you can easily encrypt through Winzip. Your other option is to put the document on a secure server that is encrypted. There are any number of google drive, GoDaddy service, dropbox, and others. Window 7 and 10 have included full drive encryption on the software. You can do a pdf and encrypt it. You can encrypt CD’s, and there are encryptable USB drives, if you wish to send electronic Protected Health Information. One thing to consider is that faxing is not considered an electronic communication under HIPAA, therefore the security regulations do not apply to it. Faxing information is considered a secure way to transmit ePHI, though it is not infallible (e.g. faxing PHI to the wrong party).
While most people do an annual training on general HIPAA requirements, the regulations require that you train on specific policies and procedures relative to each workforce member to do their job. Training needs to be on your own policies and procedures, not just general knowledge of HIPAA. Every workforce member needs to be trained within a reasonable period of time when they start your organization; for sensitive information such a psychotherapy information, training should occur before access to PHI. You also need to train anytime that you have a breach.
Organizations are HIPAA compliant, not specific technology. HIPAA requires you to do due diligence on your business associates (BAs) to be sure they are following HIPAA.
Make sure it is a valid subpoena, and be sure you document information released in your accounting of disclosures (AoD). You must attempt to ensure that the patient has been given notice of the request (and a chance to respond), or you must secure a qualified protective order, which prohibits the parties from disclosing the PHI for any other purposes than litigation, and 2) that the PHI be returned to the CE or destroyed at the end of the litigation.
No. You are allowed to obtain patient consent to use or disclose their PHI, allowing you to stay consistent with yours state law.
A BA is any person or organization who does work for you, who is not a workforce member. Any of your employees or volunteers are not BAs. Anyone who is on the treatment team (e.g. other therapists, referring physicians, supervisors) are not BAs. You are obligated to identify any potential risks to your PHI. Given that BAs account for upwards of 30% of all breaches, you need to satisfy yourself that they are protecting PHI. Once they become a BA, and they exhibit a pattern of violations, you need to terminate your agreement with them, if feasible.
While HIPAA is a specific federal regulation around electronic billing or interactions around Medicare or Medicaid, the same privacy and security issues show up in a variety of regulations. These include federal, state, and civil statutes (tort actions). HIPAA is considered the gold standard on security PHI. By following HIPAA, you provide yourself with an affirmative defense when a breach occurs, and other statutes may be at hand.
A quick assessment of compliance consists of being able to:
- readily pull out your HIPAA policy and procedures manual
- produce your training logs (who was trained, when they were trained, a copy of the training materials, and who provided the training)
- your SRA
- consequent remediation plan,
- you must evidence that you have done due diligence on your BAs
These five items are only the tip of the iceberg of what you will be required to provide the Office for Civil Rights (OCR) as part of a breach investigation or random audit.
Yes, seeing a name on the sign in sheet is considered an “incidental disclosure” and not a breach of PHI. However, many CEs add additional security by having the patient sign on a peel off label which they remove when the person has signed in. Alternatively, others simply black out the name of the patient after they have checked in.
All CEs must follow the privacy regulations. However, the Department of Health and Human Services (HHS) allows CEs to consider their size, capabilities, and costs when determining what security measures to use.
Minimum necessary does not apply when disclosures are needed for treatment purposes, when releasing information to the patient or their representative, or when a patient authorizes release of PHI.
No, you are not required to submit your claims electronically, though some government benefit programs (e.g. Medicare) require electronic submission of claims. Additionally, other third party payers may require you to submit claims electronically.
Skype transmissions are considered encrypted. However, Skype messages are stored, thus making them stored PHI. There are other commercially available video conferencing programs which may offer more security. These include TrueConf, Off-the-Record Messaging, Jitsi, Cryptocat, and Zfone, among others.
Because mobile devices are highly prone to loss or theft, they must be encrypted. The practice should have policies and procedures addressing lockout features, appropriate use of texting, appropriate use of camera and video, the ability to examine the mobile device for compliance, and a requirement that the phone can be remotely wiped.