Part 2 of this blog will discuss the specific rules about communication originating from the practice to third-party providers (specialists, other practices, & insurance companies) or the patient.
- Emails within the parameters of the office- The key here is to have a secure server and network. You shouldn’t be using a web-based email service. As long as the practice has a secure server and network, encryption isn’t necessary for sending information within the office.
- Emails to anyone outside of the practice (excluding the patient)- Encryption or secure messaging is mandatory if the patient’s PHI (private health information) is being sent outside of the parameters of the practice.
- Emails to personal email accounts- Emails originating from the office to a personal email account must not contain PHI or any attachments which include a patient’s PHI. If working from a computer outside of the practice, you must use a secure remote connection or an encrypted flash drive.
- Text messaging to anyone other than the patient- Text messages aren’t secure or encrypted unless the practice has a secure text messaging platform. Texts should never include a patient’s PHI because it’s very easy to have the text intercepted.
Texts and emailing is extremely convenient, and most patients will welcome this type of communication. To be compliant, you must either use a messaging system with encryption or incorporate a patient portal which requires a patient to log in.
If you wish to use a system which isn’t encrypted, the patient must be informed of the risk of information becoming obtained by a third party. As long as permission is obtained from the patient and kept on file, the practice may communicate in this manner.
Part 3 of this blog will deal with HIPPA concerning emails and texts originating from the patient and a wrap up of the do’s and don’t’s.