Yes, providers can send refill reminders directly to patients, but only if they use a HIPAA compliant email solution.
What does HIPAA say about refill reminders?
Broadly, the Health Insurance Portability and Accountability Act requires that providers maintain the privacy and security of protected health information (PHI). More specifically, HIPAA permits sending refill reminders as it would fall under HIPAA’s "treatment" category, explains the HHS on HIPAA Privacy Rule and refill reminders.
However, since these reminder emails can contain PHI, providers must use HIPAA compliant email platforms like Paubox.
How to send HIPAA compliant emails
- Get patient consent: A provider must obtain a patient’s informed consent form before emailing them PHI. Moreover, patients must be informed about the possible risks and benefits of receiving such communications.
- Use a secure email platform: Providers must use a HIPAA compliant email platform that implements advanced security measures like encryption, access controls, and audit trails, limiting access to authorized individuals only.
- Enter a BAA: When using a HIPAA compliant platform, there must be a signed BAA confirming their responsibility in protecting PHI and adhering to HIPAA regulations. Without a signed BAA, the provider puts the organization at risk for non-compliance and severe penalties.
- Include an opt-out option: HIPAA mandates that providers give patients the option to opt out of secure communications, respecting patient preferences.
- Regularly review security: Healthcare providers must regularly audit their security measures, manage system access, and perform risk assessments to maintain HIPAA compliance.
- Train staff on email security: Employees should undergo regular HIPAA compliance training on topics like identifying phishing emails and maintaining HIPAA compliance even in remote settings.
Read also: How to promote secure email practices among remote workers
FAQs
What is a business associate agreement?
A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.
Can providers disclose PHI without patient consent?
Yes, providers can disclose protected health information (PHI) without patient consent, but only to prevent harm or comply with legal mandates.
Can family members be informed about a patient's treatment via HIPAA compliant email?
Yes, if the patient consents, providers can use HIPAA compliant emails to share relevant information with designated family members.
