It's believed that 99% of our current email programs (yahoo, gmail, hotmail, etc.) are unencrypted. It's a known fact, however not an admitted one, that many practices are sending electronic Protected Health Information (ePHI) through these channels regularly. While a large portion of the practicing dentists and physicians have caught on to the dangers & risks associated with sending through standard email, there's still many who are unaware.
3 common questions from Practices using email to exchange ePHI:
To look at number 1, which brings on the additional responsibilites to the receiving clinic of now managing ePHI by 2 or more emails, you can definitely create a situation for lost data. If that patient delays their appointment by weeks or months, how is the receiver going to track the original email with no name on it? A specialist's office receiving multiple patient files from multiple dentists does not want to take on this risk and potential management nightmare of sorting through these. There's also the chance that not all of your data will make it, especially as a new update to their spam blockers may now cause another scenario where at least one email is lost.
As far as number 2, many offices feel that email "must be in accordance with HIPAA" because there's functions within their software that allow for emailing Xrays. The software manufacturers can of course build in whatever they want if it gives the dental team another reason to purchase, however that does not mean it is safe to use. Think of a crime commited with a gun: it's never the gun manufacturer who goes on trial, the responsibility falls on whoever pulled the trigger.
Number 3 refers to the "no HIPAA police" response that seems to be commonly discussed. For those who say they don't exist, I would differ in my opinion due to the current actions by the Office of Civil Rights (OCR) with the Department of Health and Human Services (HHS) to enforce HIPAA. Earlier this month month, newly assigned Director of the OCR, former prosecutor Leon Rodriguez, made a bold statement by announcing the two words that have caught small practice owners by surprise: Random Audits. Many believe that small healthcare providers, including dentists, will be targeted under Rodriguez's philosophy that "enforcement promotes compliance", if they're not already.
There's more questions than just these when it comes to how a practice should be sending patient information. Good news came earlier today as surveys are now showing 80% of hospitals in favor of health information exchange programs. While it's great to see leadership from the hospitals, it's always a worthy note that they are not the only covered entities who need to remain compliant while sending ePHI. They're probably glad though that it may not be difficult to make this change; if their staff once learned to how to use email or dropbox, then learning how to use a secure file sharing program should be just as easy.
on Twitter: @eDossea