At the HIMSS Healthcare IT Conference last week in Las Vegas, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), the HIPAA enforcement agency, made some news when he said that health care providers may share Protected Health Information (PHI) with patients through standard text messages. Providers must first warn their patients that texting is not secure, gain the patients’ authorization, and document the patients’ consent. Note that this only applies to communications with patients.
This expands the previous 2013 HIPAA Omnibus Rule on emails which allows providers to email patients as long as the provider notifies the patient that email is not secure AND gains their consent.
Note that emails through free email services are NOT secure. Google, for example, reserves the right to "use...reproduce...communicate, publish...publicly display and distribute" your email messages. Most users don't read the lengthy terms of use and are surprised to hear this. Health care providers must use encrypted email or secure email systems to communicate ePHI outside of their networks.
The baseline services we provide through our service plans such as firewalls, security patch updates, antivirus updates, etc, are an important foundation of the technical requirements for HIPAA, but there is so much more to it, and we want all our clients to be fully aware of all the requirements. Contact us if you want to set up a complimentary HIPAA review. The more you know the better!
For more details, read the full article by Mike Semel of Semel Consulting and author of How to Avoid HIPAA Headaches, who is one of the experts Ekaru follows for HIPAA information. We also cybersecurity training and a HIPAA compliance platform to help in your compliance.