[Editor’s note: This column addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation. If you have questions, please send them to Sheryl Jackson, Same-Day Surgery, Thomson American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsmjackson@cs.com.]

Question: Does the security rule prohibit transmission of protected health information (PHI) by e-mail?

Answer: No. The security rule requires covered entities to address the security of electronic transmission of PHI, says Robert W. Markette Jr., an Indianapolis attorney. Depending upon a covered entity’s perception of the threat, the same-day surgery program may decide to implement encryption or some other security feature, he says. However, encryption is not a required standard. "In the comments to the security rule, the Department of Health and Human Services (HHS) stated that one of the reasons it was not requiring encryption was due to the prevalent use of e-mail by rural providers to communicate with patients," says Markette. These comments from HHS recognize that PHI will be transmitted by e-mail, he says.

Question: Are health organizations responsible for the protection of unsolicited e-mails sent by patients?

Answer: When same-day surgery programs come into possession of electronic PHI, such as e-mail from patients or physicians, the organization must protect it, Markette says. "However, the agency is not responsible for the security of the information as it is transmitted from patient or physician to the entity," he adds.


For more information, contact:

  • Robert W. Markette Jr., Attorney, Gilliland & Caudill, 3905 Vincennes Road, Suite 204, Indianapolis, IN 46268. Phone: (800) 894-1243 or (317) 704-2400. Fax: (317) 704-2410. E-mail: rwm@gilliland.com.