HIPAA Q&A

[Editor’s note: This column addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation. If you have HIPAA-related questions, please send them to Sheryl Jackson, Thomson American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsmjackson@cs.com]

Question: Does the HIPAA security rule prohibit transmission of protected health information (PHI) by e-mail?

Answer: No. "The security rule requires covered entities to address the security of electronic transmission of PHI," says Robert W. Markette, Jr., an Indianapolis-based attorney. Depending upon a covered entity’s perception of the threat, the home care agency may decide to implement encryption or some other security feature, he says. However, encryption is not a required standard, he adds.

"In the comments on the security rule, the Department of Health and Human Services [HHS] stated that one of the reasons they were not requiring encryption was the prevalent use of e-mail by rural providers to communicate with patients," Markette says. These comments from HHS recognize that PHI will be transmitted by e-mail, he adds.

Question: Are health organizations responsible for the protection of unsolicited e-mails sent by patients?

Answer: Once a home care agency comes into possession of electronic PHI, such as e-mail from a patient, the organization must protect it, Markette explains. "However, the agency is not responsible for the security of the information as it is transmitted from patient to the entity," he adds.

Question: If an employee, other than field staff, works out of his or her home, either full-time or part-time (e.g., during maternity leave, on weekends or evenings, or as part of a telecommuting job description), do the HIPAA security regulations apply? If so, how do we ensure compliance?

Answer: If the employee is working at home with PHI, then the security regulations do apply, according to Markette. Compliance will depend upon a number of factors:

  • Does the employee access PHI remotely?
  • Does the employee maintain PHI on her home PC?
  • Who in the home can access that PC?

"If the employee is accessing PHI remotely, I would recommend at least evaluating the security of PHI in transit," says Markette. "If you have concerns about the security of that transmission, you might consider steps to increase the security," he suggests. There are numerous technologies that could work in this environment, and each entity will need to assess the risks and determine an appropriate operating procedure, he adds. You also may want to establish password-protected access if other people have access to the employee’s computer.