Practice leaders increasingly are in need of solutions that allow them to share patient’s protected health information by email, but they remain concerned about HIPAA compliance and patient privacy, for obvious reasons. As much as secure email solutions are needed to tackle this problem and to improve the flow of information from their practices, continual changes to a practice’s administrative processes can be difficult to manage, and any change to workflow hard to accept.
For many, the perception remains that the use of email for secure exchange and the ability to exchange information in such a typically “simple-to-use” communication method is likely too complicated to set up or too hard to use, and many remain concerned that secure email is out of reach for a small practice. Additionally, many practice leaders remain untrusting of such “so-called” secure data sharing solutions because of recent news of hacks and data theft.
But practices need to be able to communicate with specialists and colleagues, to send notes and images for any referrals that include protected health information (PHI). They need to be able to send “non-claim attachment” communications that may reference a patient’s date of birth or Social Security number to payers.. Also, because of meaningful use and the push for improved patient communications, any information sent from a dentist to a patient, like a visit summary or treatment recommendation, may contain PHI and, therefore, requires encryption.
This is one reason we’re continuing to see the emergence of HIPAA-compliant, secure email for dental and medical practices. Many dental offices use electronic communications to confirm appointments and invoice patients as well as send X-rays and other information to their peers for referrals. What many practices may not realize is that a large number of commonly used email tools do not comply with HIPAA.
To be clear, the exchange of information with patients to discuss treatments and other health information via email is allowed under HIPAA as long as providers have the patient’s permission to do so. According to the Privacy Rule, covered healthcare providers are allowed to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. According to the Department of Health and Human Services, “certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”
However, specifically and perhaps shockingly (given our current data-driven times where lack of security has obvious and devastating side effects), the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between healthcare providers and patients. Of course, HHS “suggests” that “other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail.” This “suggestion” is certainly something that most in the information technology industry strongly believe should be heeded.
Even though providers are not required to encrypt the data they send to patients, as long as the patient has consented to receiving email communication in an unencrypted manner, why would this be prudent? Why would a practice not simply take action to ensure that the information exchanged is secure, even if there’s no culpability on the part of the practice? Personally, I believe in the “better safe than sorry” approach when it comes to any data security matters.
For those practices with business associate agreements, encrypted solutions provide the best solution to the secure information exchange challenge. Even if the receiving party does not have encryption capabilities for their email, some solutions allow practices to provide two-way encryption in the event that the receiving party needs to respond to a message, but does not employ email encryption capabilities. In most cases, the security features integrate easily into a practice’s existing email platform like Gmail, Outlook, or Yahoo.
The tenant of most secure email systems is that any time a practice wants to send a secure message, the message and, in some cases, any attachments, can be encrypted on the device, and can only be decrypted and opened by authorized recipients. Not all secure email systems work the same way though. Some drive users to a web portal and require a separate login and password for access; others, feature a more seamless, integrated experience where the secure email functions within the users’ existing email client. One example of this second type of integrated secure email is that of Virtru. MEA|NEA has partnered with Virtru to provide secure email encryption to the more than 45,000 dental practices we serve. Providers are encouraged to take advantage of this partnership and the technology brings to practices small and large. Every dental practice can employ military grade encryption that restricts access to information being emailed and they can do it using a system that won’t break the bank. It can only be decrypted and opened by the intended recipient of the information and, it’s obviously HIPAA-compliant.
Not to sound like a commercial or advertisement, but we made the decision to provide encryption services to providers because they asked for it. There’s an overwhelming desire for encryption in dental practices today and practice leaders seek communication tools to connect with patients, and email is the easiest to use. Of course, technology like a patient portal has its place, but they can be difficult to use and are often clunky. In many cases they seem more like online bill pay systems than patient communication portals. But there’s more that can be done with email.
For example, Virtru gives providers the ability to revoke their sent messages and file attachments, even after they’ve been opened, allowing them greater control over the flow of information in and out of their practices. Providers can also see where the messages have been forwarded, and restrict access to any sent message at any time. They can even set expiration dates to control exposure and restrict access, almost akin to Snapchat where a message sent automatically is deleted after 15 seconds of viewing. Not the same exactly, but an apt analogy I think, given the level of control providers can dictate over their messages sent through email. Nothing self-disappears here, but access to emails and attachments can be revoked or limited at will.
Almost without exception, free email services like Outlook, Apple Mail, Gmail or Hotmail are not compliant with HIPAA and other healthcare regulations. Additionally, online storage sites like Dropbox and Skydrive are not viable or suitable storage options for keeping data secure offsite; as they do not comply with HIPAA standards. Only specific solutions built directly for healthcare can be trusted as they have encryption controls and are designed to house personal health information. But with email, most solutions are not compliant, but some are, obviously. So, even as security solutions are designed to protect information on the hard drive or network, through fire walls or other protections, email is a transfer tool. By its very nature, it’s designed to send information from a secured environment into a world where security is often considered second to convenience.
For example, any email sent, personal or otherwise, and no matter the service provider, passes the message through dozens or hundreds of unknown servers on its way to its destination. There are far too many moving and fallible parts to ensure the security of information within an email should a provider send one unless the email itself and its contents are protected in an encrypted health, if you will. Such solutions are becoming more prolific and are emerging as viable options for exchanging health information while also maintaining the flexibility offered by email.
For those who claim email is not convenient or doesn’t allow the sending of large-sized documents, such as images, these problems, too, are being abated and are no longer the same problem as they once were five or 10 years ago. In themselves, these larger file sharing capabilities further eliminate the need to store information of site (though again, there’s problem doing so when using a secure and encrypted cloud storage solution and not a DropBox).
Virtru is one such service. There are other solutions available, of course, like BrightSquid or ZixMail, but Virtru is a fresh offering that is making a push into the healthcare space. It works within a practice’s current email for most systems so no separate logins are required, and the solution allows dental office staff to communicate with patients and colleagues in a HIPAA-compliant manner using their existing business e-mail address, and includes built-in encryption, automated backups, documented activity logs and the use of secure servers to protect the integrity of patient information.
Are we finally beyond the days when there were no viable solutions to some of these basic information exchange problems, and simple tools like email, used by billions with ease for decades, can finally achieve the same result for those of us in healthcare? If nothing else, perhaps gone are the days when anyone can claim that technology does not exist to solve these basic healthcare problems, and those that try are more likely technopobes than technology enthusiasts.
Lindy Benton is CEO of MEA|NEA, a provider of secure, HIPAA-compliant cloud storage solutions, health information exchange and secure attachment solutions for the healthcare industry. More than 45,000 medical and dental practices partner with MEA|NEA to exchange their health information.
More dental news:
Rooted in reality: Your practice's value
FDA clears 16 dental devices in July
Texas bill requires registration of dental support organizations — 8 notes