Email can act as a supplement to conventional appointments. HIPAA compliant email systems can be used to send material related to diagnoses, prescriptions, and follow-up instructions that when discussed in busy clinical settings could result in the exposure of protected health information (PHI).
The risk of incidental exposures
According to a study published in Healthcare (Basel), “The total number of records exposed in these breaches was more than 10 billion (10,376,741,867) [6]. The different types of attacks used to breach the information were Intentional Insider Attacks (INSD)...Unknown Approaches (UNKN), and Unintentional Disclosure (DISC).” There are a multitude of opportunities for incidental exposure of PHI to passersby. These include:
- Overheard conversations between healthcare providers and patients in waiting areas, hallways, or elevators.
- Sign-in sheets left unattended on reception desks may contain visible patient names and appointment times.
- An open computer screen displaying patient data, unencrypted fax transmissions, or misdirected paperwork.
HIPAA compliant email: The solution
HIPAA compliant email is both familiar and versatile in its uses in the healthcare space. In the context of the prevention of incidental exposures, while in-person visits are necessary, email provides a way to communicate details with patients that might extend sessions in a way that invites exposure. This is especially true in public hospital rooms or busy clinics where doctor's consultations may take place in the open.
Instead of sharing extensive prescription data or specifics of diagnoses, providers can share this information in a way patients can view at their own convenience. In turn, patients can also take the time to carefully consider the presented information and ask questions through a secure means.
Best practices for the effective use of HIPAA compliant email to combat incidental exposures
- Select an email service that offers end-to-end encryption and will sign a Business Associate Agreement (BAA).
- Confirm email addresses through a second step, such as a confirmation email, to reduce bouncebacks.
- Conduct regular list maintenance to remove invalid or inactive email addresses.
- Monitor email activity with detailed audit trails.
- Send an advance email to warn the patient if you are about to send an email with PHI included.
- To ensure the availability of electronic PHI (ePHI) secure email retention systems.
FAQs
What is an incidental disclosure of PHI?
An incidental disclosure occurs when patient information is unintentionally shared during a permissible activity under HIPAA.
Is every unintentional disclosure a HIPAA violation?
No, not all unintentional violations are incidental disclosures. Breaches due to mistakes, oversights, or lack of awareness are still violations.
What are 'reasonable safeguards' in relation to incidental disclosures?
Reasonable safeguards are proactive steps that covered entities can take to minimize the occurrence of incidental disclosures and protect client privacy.
Kirsten Peremore
