The murky waters of the HIPAA security rule

Laura Rose Lambert Electronic records, TWH blog 1 Comment

Cloud Computing by Petr Kratochvil

Cloud Computing by Petr Kratochvil

Let’s clear the air about some issues

Most questions I receive concern electronic communication with patients. The use of e-mail, text messaging, Skype and many other varieties of electronic communication are common place in modern life. You will find that a growing number of patients will expect you to be available via e-mail, text, or even interact through social media.

With these different forms of communication, you need to update your informed consent and possibly authorization form to reflect these style of communication. Find out what they feel comfortable talking about through what type of communication. For example many patients love being able to schedule and cancel appointments through e-mail or text message, but don’t feel comfortable sharing or receiving ePHI through e-mail. Another example would be e-mailing a receipt via a service such as Square. While using a credit card payment service such as Square or PayPal is private and secure, you need to get written consent to e-mail a receipt to the patient.

Don’t skimp on a conversation about communicating electronically. You need to talk frankly about the advantages and risks of using electronic communication with your patients and find out what they are comfortable with. This includes birthday and holiday cards or a monthly newsletter. I have a opt-in policy at my office. It includes a list of the different ways of communicating on a variety of subjects from which a patient chooses what they are comfortable with (initial items) and my boundaries about social media. I found a thoughtful article about the advent of electronic communications from a graduate art therapy counseling program at Southwestern College and how this affects our conversations with patients on informed consent.

It’s okay to use email, honestly

The number one question I get concerns email. Can I send e-mail to patients? Is it secure? What type of e-mail is secure? Like most things concerning technology and HIPAA, there is a spectrum of what practitioners are OR are not comfortable with. Some health providers refuse to use email at all, others use services such as Hushmail or the Patient Portal included in many EHR management programs, while others simply include a disclaimer in their e-mail signature. In the recent January 2013 HIPAA modifications document there is a very important passage in the preamble. In the text at 78 FR 5634:

Hipaa and email

This passage leads me to be a bit more relaxed with my email policy. I usually walk a fine line between the security of ePHI and the convenience and needs of the patient. For example I may e-mail ePHI (with permission of course) but I enclose it in an encrypted and password protected .pdf attachment. On the other hand, if a patient agrees to and prefers to manage appointments electronically, I will do this through a relatively unsecured email.

Remember Murphy’s law

Make back-ups of your back-ups. Hard drives fail, disasters happen and in general a series of unfortunate events can befall anyone. I have a history of losing hard drives and as a result, am understandably paranoid about my personal and professional data. So I back-up vital documents periodically onto DVD or flash drive and to my external hard-drive. I keep the DVD in an off-site location. On a regular basis, a complete copy of my computer/ipad/phone is backed up to an external hard drive. This external hard drive is only used for these backups and kept in a cool and safe location. This external hard drive is then synced with an online data back-up service. This is simply one way to ensure the safety of your data. It is important to have a plan in place.

Invest in a laptop lock for using computers in public spaces; thieves are known to walk up and snatch laptops out of your lap. Install or set up software to wipe the hard drives of your device that contain ePHI in case of theft or loss. Many devices come with basic built-in software that will delete or lock contents if the device is on. Very little devices are actually recovered from theft, so focus on encrypting and protecting your data over trying to locate your device. Don’t forget to change passwords to all your accounts right away.

Passwords should make no sense at all

Door by Anna Langova

Door by Anna Langova

It is a bummer to have an email or Facebook account hacked. It is even worse if your patients’ information is involved. You can invest in many secure devices and HIPAA compliant services and software but all of that is for naught if you have poor password habits. Each day we use a handful of password protected accounts. I understand the temptation to simplify all of this…but you can’t. No password can be the same or make any sense, otherwise your account can be easily hacked. I advise clients to use a password manager such as LastPass, DataVault or Dashlane (there are so many more) to stay sane when managing so many accounts.

Passwords should not include:

  • words found in the dictionary or
  • any personal information (birthdate, anniversaries, etc) or
  • business information (such as an address number)

Passwords should:

  • be at least 12 characters long
  • include at least one upper case letter,
  • symbol
  • and number
  • be changed frequently (every 60 days)

Many accounts allow you to schedule password changes automatically. A newer security measure called two-step verification should also be implemented if available. When you or someone else logs in to your account from an unfamiliar location it will require a code that is e-mailed, texted or called to your phone number or e-mail before accessing the account.

Do you have any other questions or concerns I haven’t mentioned? Comment on this article and I can address any technological questions you have.

Change…it is always happening

Keep up to date with changes to the HIPAA security and privacy rules by subscribing to the HHS newsletters for security and privacy (2 separate newsletters).

You can also keep up to date with a third-party source such as:

Person Centered Tech – Tech consulting and continuing education for mental health professionals

Search Health IT is a web resource for tech professionals who work with healthcare related technology. 

Partners HealthCare’s Center for Connected Health creates and validates technology-enabled solutions that empower patients and providers to transform healthcare. This organization is a partnership between Brigham and Women’s Hospital and Massachusetts General Hospital.


I hope this article has answered some of your questions about the interaction between HIPAA and technology in your practice. Please don’t hesitate to contact me with any questions on the content of this article or any corrections too. For my next article I plan on looking at the different devices you can use for electronic charting and patient management. This article will help you make decisions about what  type of computer or tablet will fit into your practice.

Thank you so much for taking the time to read about HIPAA on my website today. My goal is to help you feel comfortable with integrating technology into your medical practice. So if you are interested in more topics like this one, sign up for my newsletter (to the right), like Technology with Heart through Facebook or Google+ or follow me on Twitter.

Comments 1

  1. Laura, what a wonderful breakdown of the HIPAA Security compliance process. I’m not just saying that because you quoted me, either. 😉

    I should point out that HIPAA is also not the only player in these processes. For example, clients are given leeway to accept the risks of email by HIPAA. State licensing boards or legislatures may have caveats or gotchas around that, though. My board, for example, requires email to be secured if I am to use it for therapeutic communications. Without security, I need to keep it to scheduling and other administrivia. HIPAA would let me send the client’s whole medical record by email if the client wanted it.

Leave a Reply

Your email address will not be published. Required fields are marked *