Thursday Troubleshooter: Is it a HIPAA violation to email radiographs to other dentists?
QUESTION: We get a lot of requests from specialists and other general dentists to email patients’ radiographs. When we tell them we can’t send them because we’re not encrypted, they’re not happy and have told us we’re taking things too far. What’s the right thing to do?
ANSWER FROM MICHELLE KRATT, FAADOM, FADIA:
I actually get this question a lot. Technically, it is NOT a violation to send Protected Health Information (PHI) in an unencrypted email, however, it IS a violation if that email is intercepted and/or read by someone without authorized access. The emails that most dental practices use (Outlook, Gmail, Hotmail, etc.) are not encrypted, and in fact, some of these companies actually read the content included in your emails.
To my knowledge, sending emails from your practice management software (Dentrix, Eaglesoft, etc.) is also not encrypted. In order to be in compliance with HIPAA’s rules and regulations, you would need to purchase an outside program that encrypts the emails and other documents for you. I recommend eDossea and BrightSquid. Before you invest in encryption software, take a look at how many requests you actually get per week or month to determine if the benefits outweigh the cost.
Remember, every team member is responsible for protecting PHI and will be held accountable for violations and breaches. Don’t take any chances with your patients’ Protected Health Information.
ANSWER FROM LINDA HARVEY, RDH, MS, LHRM, Owner, Linda Harvey Group, Inc:
Electronic communication is a hot topic, and both the Privacy Rule and Security Rule come into consideration. Under the Privacy Rule, the patient has the right to request that your office communicate with him or her by alternative means or at alternative locations, if it is reasonable. For example, a patient can request to receive appointment reminders via email rather than postcard if your office uses electronic appointment reminders.
However, that does not address health-care providers who share Protected Health Information (PHI) such as X-rays for treatment-related purposes. Not to mention the fact that any electronic transmission of PHI must be in compliance with the Security Rule. Implementing a mechanism to encrypt electronic PHI wherever appropriate is explicitly mentioned as an addressable specification under 45 C.F.R. Part 164, Subpart C of the Security Rule.
An “addressable specification” differs from a “required specification” in that you must analyze the threats and hazards reasonably associated with emailing PHI. Based upon your assessment, document why you chose not to implement that specification. However, you must select and implement an equivalent alternate measure.
With an abundance of caution, it’s best to minimize your liability and avoid costly fines for data breaches by not emailing PHI unless you 1) password protect each document, 2) use encrypted email, or 3) use a HIPAA-compliant online platform.
ANSWER FROM LINDA L. CANNON, FSCN, Directorate of Safety - MSDS:
One of my clients called me in a state of panic about a patient's HIPAA complaint. Here is what happened. One of my dentist's patients went for a second opinion. The second dentist asked the patient how she received her X-rays. The patient said she requested them from her current dentist and had the dentist email them to her. The second dentist was outraged and told the patient she must file a complaint. He told her that this doctor is sending unencrypted email, which is against the law, but this is not true. The second dentist had the patient log a complaint about a potential HIPAA violation right there in his office.
An inspector called the first office (HIPAA complaints must state who is complaining and the dentist does receive this information) and asked these questions: "Did you send this X-ray through the email without patient request?" The doctor answered no. "Did you validate and verify that the email was in fact the patient?" The doctor answered yes. The first dentist had asked the patient to send the office an email with two questions that only the patient would know the answers to. Did the doctor explain to the patient that the email was an unsecured email source, since it was going to the patient's home email? The doctor answered yes. At this point, no violations had occurred, even if the email was intercepted and read by someone without authorized access.
I have the dentists I consult put a disclaimer on their emails. My clients have the knowledge they need. And my HIPAA patient consent form allows the patient to authorize sending PHI from an unsecured email from dentist to specialist or specialist to dentist, etc. The doctor simply needs to make sure the specialist's email, fax, etc. has been verified and validated.
PAST THURSDAY TROUBLESHOOTERS:
I don't get any coworker respect in my new position
Coworker's poor performance is strain on entire dental staff
Help! I can't adjust my chair properly to assist the short dentist
Do YOU have a tough issue in your dental office that you would like addressed?
Send your questions for the experts to answer. Responses will come from various consultants associated with Speaking Consulting Network, Dental Consultant Connection, and Academy of Dental Management Consultants. Their members will take turns fielding your questions on DentistryIQ, because they are very familiar with addressing the tough issues. Hey, it's their job.
Send your questions to [email protected]. All inquiries will be answered anonymously every Thursday here on DIQ.