HIPAA & E-Mailing Patient Information
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that provides privacy protection for personal health information contained in electronic format. HIPAA not only applies to health care providers but also entities that process or store personal health information, including answering services that forward personal health information to health care providers.
Access to Electronically Stored Patient Information
HIPAA discourages the unnecessary access of electronically stored personal health information. The regulations also require detailed information concerning employee access to patient information. For example, call centers must audit who has access to electronically stored patient information. The audit log must report the time and date of access as well as employee name or number.
Email Format and Encryption
Employees should limit patient information when using email. HIPAA requires encryption of emails containing patient information that are transmitted using the Internet. Special software allows users to retrieve encrypted emails with the use of a secure password.
Breach Notification
In the event of unauthorized access, use or disclosure of patient information, HIPAA requires notification. If a security breach involves 500 or more health plan participants, an employer must notify the news media and HHS and inform affected individuals of the breach within 60 days; the notice to affected individuals must include: (1) information concerning the date of the breach and how the breach occurred, (2) information about the nature of the data disclosed, (3) ways affected patients can prevent any damage caused by the breach, (4) a description of the investigation and action taken to prevent additional disclosures, (5) contact information for individuals with additional questions.
Notice Delivery
HIPAA outlines specific requirements for delivering the notice to individuals affected by an unauthorized use or disclosure. Regulations require companies to notify affected individuals via first-class mail at their last known address. If the individual is deceased, the notification must be mailed to their next-of-kin. If an entity is unable to locate an address for an affected individual, another form of notice is required. Additionally, if another form of notice is needed for 10 or more affected patients, an entity must place a notice on its website or inform a news organization.
Enforcement and Penalties
The Department of Health & Human Services Office for Civil Rights enforces HIPAA and investigates violations. HIPAA regulations establish civil monetary and criminal penalties for the disclosure of patient information; HIPAA establishes civil penalties of $100 for each violation with a maximum of $25,000 per calendar year for all violations. Civil penalties may not be assessed in instances where the breach was due " to reasonable cause and not to willful neglect." (Reference 2)
Tags: health information, personal health, personal health information, affected individuals, patient information, access electronically, access electronically stored
