It's believed that 99% of our current email programs (yahoo, gmail, hotmail, etc.) are unencrypted. It's a known fact, however not an admitted one, that many practices are sending electronic Protected Health Information (ePHI) through these channels regularly. While a large portion of the practicing dentists and physicians have caught on to the dangers & risks associated with sending through standard email, there's still many who are unaware.
3 common questions from Practices using email to exchange ePHI:
To look at number 1, which brings on the additional responsibilites to the receiving clinic of now managing ePHI by 2 or more emails, you can definitely create a situation for lost data. If that patient delays their appointment by weeks or months, how is the receiver going to track the original email with no name on it? A specialist's office receiving multiple patient files from multiple dentists does not want to take on this risk and potential management nightmare of sorting through these. There's also the chance that not all of your data will make it, especially as a new update to their spam blockers may now cause another scenario where at least one email is lost.
As far as number 2, many offices feel that email "must be in accordance with HIPAA" because there's functions within their software that allow for emailing Xrays. The software manufacturers can of course build in whatever they want if it gives the dental team another reason to purchase, however that does not mean it is safe to use. Think of a crime commited with a gun: it's never the gun manufacturer who goes on trial, the responsibility falls on whoever pulled the trigger.
Number 3 refers to the "no HIPAA police" response that seems to be commonly discussed. For those who say they don't exist, I would differ in my opinion due to the current actions by the Office of Civil Rights (OCR) with the Department of Health and Human Services (HHS) to enforce HIPAA. Earlier this month month, newly assigned Director of the OCR, former prosecutor Leon Rodriguez, made a bold statement by announcing the two words that have caught small practice owners by surprise: Random Audits. Many believe that small healthcare providers, including dentists, will be targeted under Rodriguez's philosophy that "enforcement promotes compliance", if they're not already.
There's more questions than just these when it comes to how a practice should be sending patient information. Good news came earlier today as surveys are now showing 80% of hospitals in favor of health information exchange programs. While it's great to see leadership from the hospitals, it's always a worthy note that they are not the only covered entities who need to remain compliant while sending ePHI. They're probably glad though that it may not be difficult to make this change; if their staff once learned to how to use email or dropbox, then learning how to use a secure file sharing program should be just as easy.
-Shawn Harrington
on Twitter: @eDossea
Comments
Posted by Linda Harvey, RDH, MS, LHRM on 12/07/2011
Shawn, Great post! I would like to comment on item #3. Many dental professionals are not aware of the fact that the HITECH Act of 2009 actually put the 'teeth' in HIPAA. HIPAA police are a reality. State Attorneys General are now authorized to prosecute HIPAA breaches in addition to the Office of Civil Rights. In fact, Connecticut and Vermont SAG's have already done so. Plus, KMPG was awarded the 9.2M contract to carry out the mandatory audits and have a specific number to complete by the end of next year. Business associates as well as covered entities are subject to audit. Technology and electronic security are rapidly changing and protecting patient data (as well as employee data, even though that's covered under different laws) is extremely critical. In addition to staff training, policies and procedures must be current and reflect exactly how you are protecting data. I am always relieved when one of my clients partners with eDossea. Keep up the great work!Posted by Shawn Harrington on 12/08/2011
Thanks Linda, I appreciate the extra insight as there's obviously many enforcement changes taking place. It's always good to have professionals like yourself out there working with the practices as they stay on top of this!Post Comment
Your comment will appear if approved by an administrator. Please do not submit multiple times.