Paubox blog: HIPAA compliant email made easy

The impact of HIPAA's verification requirement on HIPAA compliant email

Written by Kirsten Peremore | September 26, 2024

The impact of HIPAA's verification requiremHIPAA’s verification requirement comes into play when an individual requests access to a patient's health information from a covered entity or business associate. The standard ensures that health information is only shared with authorized individuals. 

 

Understanding HIPAA verification requirement

The HIPAA verification standard ensures that covered entities and business associates must confirm the identity and authority of anyone requesting access to protected health information (PHI) before it’s disclosed. The safeguard is designed to protect patient privacy by blocking unauthorized access. It functions by verifying who is asking for the information, whether it's the patient themselves, a family member, or an entity like the insurance company so that only those with proper authorization can access sensitive health data. 

 

How the standards influence email communications 

The HHS states,The Privacy Rule allows for verification in most instances in either oral or written form, although verification does require written documentation when such documentation is a condition of the disclosure.Prior to sending an email containing the requested PHI, the standard sets in place the requirement for healthcare providers to establish clear procedures for verifying patient identities as any authorized individuals. 

This means that organizations should not only invest in HIPAA compliant email platforms that encrypt PHI within emails but should ensure that there are steps taken before sharing PHI to verify the identity of the recipients as an authorized person, The step makes sure that the email is sent to the right person.

 

How to comply with the standard

Verify the recipient's identity

  • Ask for key personal information (e.g. full name, date of birth, medical record number)
  • Make sure that the person has authorized access if they are not the patient i.e. legal representative or other designated third parties. 

Obtain proper authorizations

  • Confirm that signed HIPAA authorization forms are in place, especially when sending PHI, especially in the case of third parties like insurers. 
  • Ensure that the patient has given explicit consent for communication via email. 

Use encrypted email services

  • Send emails using HIPAA compliant platforms that offer secure encryption to protect data in transit. 
  • Avoid using standard, unsecured email services for PHI.

Use digital signatures for verification

  • Use digital signature solutions that require recipients to electronically sign and verify their identity before accessing PHI. 
  • Ensure that the digital signatures process records a verifiable audit trail. 

FAQs

Is verification required beyond requests for access to a patient's PHI? 

HIPAA verification is also required for any disclosures of PHI including treatment, payment, or healthcare operations.

 

What is PHI?

Protected health information refers to any health related information that can identify a patient like medical records. 

 

What is a digital signature?

An encrypted, electronic form used to verify the identity of the signer. 

 
View full post