Do physicians who use personal e-mail accounts to communicate with patients violate HIPAA by doing so?

From HcPro’s newsletter Briefings on HIPAA:

This is a potential violation of the HIPAA security rule. A violation has not occurred if an e-mail does not include any PHI. However, e-mails that contain PHI should be encrypted.

Encryption is an addressable implementation specification under the security rule. “Addressable” means the provider must implement the specification as stated in the rule, implement protections equivalent to the rule, or must clearly document why the implementation specification does not apply.

Cost may not be the primary reason for failure to implement the specification. It is important to remember that the security rule was finalized back in 2003 and then became effective in 2005.

Encryption technology has become much more mature and interoperable since 2003. And it is no longer cost-prohibitive-even for the smallest providers.

Physicians who elect to send PHI via unencrypted e-mail in 2008 are hard-pressed to justify this decision.

Have questions? I’m here to help.

This field is for validation purposes and should be left unchanged.
This field is for validation purposes and should be left unchanged.
Categories
Accounting and Tax Services Litigation Support Managed Care Consulting Managed Care Contract Negotiations Medical Practice and Healthcare Entity Valuation Medical Practice Assessment Medical Practice Brokerage Medical Practice Embezzlement Consulting Medical Practice Management Medical Practice Merger Advice Medical Strategic Planning Newsletter Personal Financial Planning Oversight Physician Compensation Models Physician Compliance Physician Financial Management Services Retirement Uncategorized
About Reed Tinsley, CPA

As a top advisor to physicians, I help increase practice profits by delivering hands-on, expert medical accounting/tax support, practice counsel, and revenue-building strategies. Read More >

Reed Tinsley, CPA