The 2013 modification to the HIPAA rules allow for covered
entities to send individuals unencrypted emails if they have advised the
individual of the risk, and the individual still prefers the unencrypted email. A search of the language in the updated regulations
did not produce any mention of texting, SMS, remote monitoring, telehealth or use of video .
The upside is that the feds did allow some free choice by including
the patient in the decision to use plain old unencrypted email if they so
choose. The downside is that the
regulations stopped short of extending that right to choose to any of other
popular and rapidly becoming commonplace ways of communicating and extending care to a remote
patient.
We know that it is a short jump to include forms of texting, SMS, remote monitoring or use of video in the administration of care and that it is being done by a few providers who are willing to take the security risk. As once said, the best form of care is communication. Does the approval of unencrypted email in the guidelines open the door to increasing the number of providers and patients willing to communicate with email? How will it effect patient engagement?
We know that it is a short jump to include forms of texting, SMS, remote monitoring or use of video in the administration of care and that it is being done by a few providers who are willing to take the security risk. As once said, the best form of care is communication. Does the approval of unencrypted email in the guidelines open the door to increasing the number of providers and patients willing to communicate with email? How will it effect patient engagement?
“Comment: Several commenters specifically commented on the option to provide electronic protected health information via unencrypted email. Covered entities requested clarification that they are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. Some felt that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome on covered entities. Covered entities also requested clarification that they would not be responsible for breach notification in the event that unauthorized access of protected health information occurred as a result of sending an unencrypted email based on an individual's request. Finally, one commenter emphasized the importance that individuals are allowed to decide if they want to receive unencrypted emails.
Response: We clarify that covered entities are permitted to
send individuals unencrypted emails if they have advised the individual of the
risk, and the individual still prefers the unencrypted email. We disagree that
the “duty to warn” individuals of risks associated with unencrypted email would
be unduly burdensome on covered entities and believe this is a necessary step
in protecting the protected health information. We do not expect covered entities
to educate individuals about encryption technology and the information
security. Rather, we merely expect the covered entity to notify the individual
that there may be some level of risk that the information in the email could be
read by a third party. If individuals are notified of the risks and still
prefer unencrypted email, the individual has the right to receive protected
health information in that way, and covered entities are not responsible for
unauthorized access of protected health information while in transmission to
the individual based on the individual's request. Further, covered entities are
not responsible for safeguarding information once delivered to the individual.”
No comments:
Post a Comment