A healthcare practitioner’s guide to sending PHI

For healthcare practitioners involved in emailing patient information, adhering to HIPAA privacy regulations is of the utmost importance. Disregarding these regulations can incur serious repercussions.

What is Protected Health Information (PHI)?

Consider PHI as information that you should never mistreat or let fall into the wrong hands. There are 18 factors that can identify individuals and connect them to their health information. These factors can be either vague or direct, such as patient name, address, Social Security number, account number, or email address. PHI refers to past, present, and future patient information such as physical or mental health conditions, the provisioning of healthcare (such as appointments), and payment-related information.

Similarly, electronic PHI (ePHI) is that same patient information electronically produced, disseminated, engaged with, or exchanged. Covered Entities HIPAA considers the following bodies, organisations, and individuals as the covered entities that must protect PHI: healthcare, healthcare provider, healthcare clearinghouse, and health plan. After some alterations, this list now includes all individuals and organisations that covered entities subcontract with (that is, business associates of a HIPAA-covered entity) and extended subcontractors and associates (that is, a business associate of a business associate).

To guarantee PHI security, covered entities must meet these four standards:

Organisational requirements

Considering the specific functions (such as documentation and policy implementation) required to ensure ePHI security.

Administrative requirements

Referring to the administrative tasks (for instance, employee training and management security) necessary to both effectively run an organisation and ensure the security of ePHI.

Physical safeguards

Referring to the implementation of measures that secure computers, work stations, hard drives, physical data, storage, and workspaces, and buildings from unauthorised access to ePHI.

Technical safeguards

Monitoring access to sensitive data, ePHI, and all electronic materials. This involves securing all e-materials, user authentication, data audits, log audits, etc. The organisation must implement measures identifying individuals who request access to ePHI. And, the organisation must also set data integrity and encryptions.

What you need to know about HIPAA’s email security rule

HIPAA is unforgiving of errors, accidental breaches, and other mistakes that result in unprotected PHI. This is precisely why you need vigilance and extreme attention to detail when coordinating email marketing campaigns, business emails, text messages, and more. The two terms 'required' and 'addressable' are used to define email security. Required means that compliance to the standard is mandatory. Breach of any HIPAA regulation could immediately translate to hefty fines for the organisation.

Addressable, however, isn’t as strict. Addressable in no way means that compliance isn’t necessary, though. The company in question must still scrutinise every single HIPAA security standard individually to ensure adherence to regulation.

So, what next?

As a covered entity, you’ve implemented security measures to combat any possible threats, but what about risk management? Being cautious includes taking into consideration the various risks and privacy violations that can occur. Email encryption and secure texting are great steps to help manage risks. They encode your messages so only the intended recipient can access them.

Since email and text communication possess several risks, including interception and inaccurate delivery, encryption and authentication can go a long way toward mitigating your risk. Ask yourself, have you evaluated your company’s current policies and practices? Have you identified all the possible risks? Did you closely analyse HIPAA security regulations? And have you constructed a risk mitigation plan?

Erik Kangas, CEO at Lux Scientiae