Consumers are so used to snapping pictures with their cell phones and instantly texting or emailing it to their relatives and/or friends without worrying about the security and privacy of their information. However when it comes to a doctor-patient relationship, there are strict federal and state regulations governing the sharing of confidential patient health information. As a covered entity, a doctor has to safeguard a patient’s health information at all times. The HIPAA security rule mandates the security and privacy of all electronic health information, whether the data is sitting on the doctor’s computer( at rest) or is emailed or transmitted( in motion). Patients may not know about the disastrous consequences of medical identity theft or may not take it seriously. To prevent any adverse consequences to their practice and reputation, it is incumbent upon the doctor to understand and convey the potential calamitous consequences of medical identity theft to their patients.
So as a doctor, what do you do when you have a patient asking to communicate his/her health concern via email/text? Should you allow it? Does your practice have well documented policy to address this situation? Do you inform the patient about the potential dangers of sending unencrypted health data via email as well as your responsibilities as a covered entity and the potential violations under HIPAA that might occur in the event of a data breach? You may be putting your practice at risk of a data breach if you have unencrypted protected health information on any of your emails, data files, spreadsheets etc.
Securing patient data is about knowing where electronic protected health information (EPHI) resides in your computer systems, how it flows through the systems, identifying potential risks to the data and taking reasonable and appropriate measures to address the them. Maintaining HIPAA compliance is also about having appropriate policies and procedures in place to ensure the security and privacy of all personal health information. Having clear directions for you, your staff and patients to follow with respect to electronic communications will ensure that all your personnel know what is acceptable and what is not allowed in different workplace situations. It also strengthens your case in the event of OCR (Office of Civil Rights) audit.