Secure electroencephalograms (EEGs) with HIPAA compliant emails

Electroencephalograms (EEGs) are protected health information (PHI), so healthcare providers must use HIPAA compliant emails to share EEG reports with patients or colleagues involved in patient care.

What are EEGs?

According to Johns Hopkins Medicine, electroencephalograms (EEGs) are “tests that detect abnormalities in [patient] brain waves...” It involves small metal disks with thin wires (electrodes) that “detect tiny electrical charges” from brain cell activity. These charges are amplified and appear as a graph on a computer screen, which healthcare providers (like neurologists) interpret and share as needed.

Should EEGs be HIPAA compliant?

Yes, EEGs are considered protected health information (PHI) and must be HIPAA compliant as evidenced by Brown University, “PHI is individually identifiable health information that is held or transmitted by a covered entity, whether verbal or recorded in any form or medium (e.g., narrative notes; X-ray films or CT/MRI scans; EEG / EKG tracings, etc.), that may include demographic information.

So, covered entities (including healthcare providers, health plans, clearinghouses, and their business associates) must ensure that EEG data collected, stored, or transmitted are HIPAA compliant to protect patient privacy.

How to share EEG data securely

1. Obtain patient consent: Providers must obtain informed consent before sharing a patient's EEG data. 
2. Use a HIPAA compliant solution: Providers must use a HIPAA compliant solution, like Paubox, which uses TLS (transport layer security) and AES (Advanced Encryption Standard) to protect emails and their attachments during transit and at rest. 
3. Sign a business associate agreement (BAA): HIPAA compliant email solutions must sign a BAA to ensure they are HIPAA compliant and will protect the privacy and security of PHI shared through their platform.
4. Implement access controls: HIPAA compliant emails must be restricted to authorized staff members only. These role-based access controls can help organizations prevent potential data breaches and their associated penalties. 
5. Monitor email activity: Providers must regularly monitor email activity, keeping track of who accessed or sent PHI. 
6. Provide HIPAA training: Staff must undergo regular HIPAA compliance training, so they are aware of regulatory changes and up-to-date on the latest HIPAA requirements for protecting PHI.
7. Develop guidelines: Provider organizations must develop policies that outline when and how to send HIPAA compliant emails to patients. These guidelines should include information on obtaining patient consent, encryption methods, and how to handle potential PHI breaches.

Go deeper: Developing guidelines for HIPAA compliant email patient communication

FAQs

Can providers use regular email services like Gmail to send PHI? 

No, standard email services, like Gmail, are not secure. Instead, providers must use a HIPAA compliant emailing platform, like Paubox, to safeguard patients' protected health information (PHI).

Additionally, Paubox signs a business associate agreement (BAA) with the healthcare entity to ensure HIPAA compliance.

How long should providers keep PHI?

The retention period for PHI differs by state law and federal regulations, but providers must retain medical records for at least six years from the date of creation or the date when the records were last used.

How often should providers conduct HIPAA audits?

Providers must conduct HIPAA audits at least annually or more frequently if there are changes in the organization's processes or HIPAA regulations.

Learn more: HIPAA Compliant Email: The Definitive Guide