HIPAA Q&A

[Editor’s note: This column addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation, if you have questions, please send them to Sheryl Jackson, Hospital Home Health, Thomson American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsmjackson@cs.com.]

Question: Does the security rule prohibit transmission of protected health information (PHI) by e-mail?

Answer: No. The security rule requires covered entities to address the security of electronic transmission of PHI," says Robert W. Markette, Jr., an Indianapolis-based attorney.

Depending upon a covered entity’s perception of the threat, the home care agency may decide to implement encryption or some other security feature, he says. However, encryption is not a required standard, he adds.

"In the comments to the security rule, the Department of Health and Human Services [HHS] stated that one of the reasons they were not requiring encryption was due to the prevalent use of e-mail by rural providers to communicate with patients," Markette says.

These comments from HHS recognize that PHI will be transmitted by e-mail, he adds.

Question: Are health organizations responsible for the protection of unsolicited e-mails sent by patients?

Answer: Once a home care agency comes into possession of electronic PHI (EPHI), such as e-mail from a patient, the organization must protect it, Markette explains. "However, the agency is not responsible for the security of the information as it is transmitted from patient to the entity," he adds.

Question: If an employee, other than field staff, works out of his or her home, either full time or part time, (e.g., during maternity leave, on weekends or evenings, as part of telecommuting job description) do the HIPAA security regulations apply? If so, how do we ensure compliance?

Answer: If the employee is working at home with EPHI, yes, the security regulations apply, according to Markette. Compliance will depend upon a number of factors:

  • Does the employee access EPHI remotely?
  • Does the employee maintain EPHI on his or her home PC?
  • Who in the home can access the PC?

"If the employee is accessing EPHI remotely, I would recommend at least evaluating the security of EPHI in transit," says Markette.

"If you have concerns about the security of that transmission, you might consider steps to increase the security," he suggests.

There are numerous technologies that could work in this environment, and each entity will need to assess the risks and determine an appropriate operating procedure, he adds. You also may want to establish password protected access if other people have access to the employee’s computer.

[For more information, contact:

  • Robert W. Markette Jr., Attorney, Gilliland & Caudill, LLP 3905 Vincennes Road, Suite 204, Indianapolis, IN 46268. Phone: (317) 704-2400 or (800) 894-1243. Fax: (317) 704-2410. E-mail: rwm@gilliland.com.]