When it comes to HIPAA guidelines and keeping your patients' health information safe and secure in your EHR software there are a lot of rules and regulations to pay attention to. And sometimes it can be tricky to know, or remember, what's considered compliant and what's not. That's why we've snooped around the Department of Health and Human Service's website to collect a few of the most common questions that many covered entities have when it comes to HIPAA and the Privacy Rule.

Common HIPAA Questions in Regards to Your EHR Software

Question: Does the HIPAA Privacy Rule allow healthcare providers to use email to discuss health information and treatment with patients?

Answer: The Privacy Rule allows covered healthcare providers to communicate electronically including email, with their patients provided they apply reasonable safeguards when doing so. Here are a few examples of precautions that need to be taken when communicating via email:

• Check email address for accuracy before sending
• Send email alert to address for confirmation before sending

The Privacy Rule does not prohibit the use of unencrypted email for treatment-related communication between healthcare providers and patients, covered entitities will want to ensure that any transmission of electronic protected information is in compliance with HIPAA Security Rule requirements.

Question: Does the Security Rule allow for sending electronic patient health information in an email, or over the Internet?

Answer: The Security Rule doesn't prohibit the use of email for sending electronic patient information. However, standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access and to protect against unauthorized access to patient health info. It also addresses specifications for integrity controls and encryption. 

So really, if you're going to send patient health info via email you must assess your use of open networks, identify appropriate means to protect transmitted information, select a solution, and document it. Then you should be good to go!

Question: How can a small provider implement the standards in the Security Rule?

Answer:  The Security Rule allows providers to use any security measures that help them appropriately implement the standards to protect patient health information. You can take into account your size, capabilities, and costs of security measures. Start by assessing your security risk and vulnerabilities about the mechanisms currently in place to mitigate them. After the assessment, determine if any additional measures need to be taken to meet the standards.

Still have questions about your HIPAA security? Visit www.hhs.gov for more information.