Friday, July 2, 2021

HIPAA requirement



Letter to Providers on Using Email

I need to use email to work with my providers.  I’ve explained before why I’ve given up on patient portals.  Basically, I have multiple providers to manage (16) and going into multiple portals to send multiple messages is untenable for me as a patient and really does a disservice to me and to my providers.  However, doctors are reticent to use email.  The EHR vendors have done a great job with their marketing to scare physicians to think that they can only use the portal to communicate.  But that’s not true! And in fact, patients have a right to use email, one that doctors must accommodate.

Sometimes I’ll be told that email is not allowed under HIPAA, to which I reply: “Not only is email allowed under HIPAA per 45 CFR 164.522(b), but it is required that you accommodate my request to use email. Not allowing me to use email is not HIPAA compliant.” Often that on sentence can work. But because some still don’t want to believe me despite my law degree and the actual citation of the law, I have written the letter below referencing the law and guidance from Health and Human Services. I also give additional reasons why email may be a better option.

I present my letter when staff or providers resist the use of email and persist in telling me email is not allowed under HIPAA. Some still try to push back and refuse, but the law is in my favor and I’ll push for what I need to do for my care. We shouldn’t have to fight over this, but until doctors (and office managers and staff) really learn how HIPAA works, I’ll have to educate them on my own and you can too.

For all patients that want to use email email with their providers, feel free to use this letter. The link below will also allow you to download a copy of the document that you can edit for your own use. Please note that this is NOT legal advice, it is simply what I use as a patient which references HIPAA rules and guidelines.

Link: Letter to Providers on Using Email

________________________________________________

Dear Provider,

While patient portals via electronic health records (EHRs) have held promise for connecting patients and their providers, I have found that they do not work best for me. I prefer to use email for communication and this is not only allowed under HIPAA but is required if I make a request for this alternative form of communication.

HIPAA permits health care providers to use e-mail to discuss with their patients.[1]  Specifically guidance from Health and Human Services says:

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated….

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.

The law also says that you cannot force me to use a portal. This includes portals for “secure messaging.” You simply need to let me know that there are risks to using email. HHS specifically says that forcing a patient to use a portal is an “Unreasonable Measure.” The HHS website explains under Unreasonable Measures[2]

…a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access. For example, a doctor may not require an individual:

  • Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.
  • To use a web portal for requesting access, as not all individuals will have ready access to the portal.
  • To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access.;

While a covered entity may not require individuals to request access in these manners, a covered entity may permit an individual to do so, and covered entities are encouraged to offer individuals multiple options for requesting access.

Beyond HIPAA, there are many other considerations that go into me preferring email a few of which are:

  • Care coordination: Most portals only allow providers to connect with other providers already in their system or to the patient. Seeing as I have several providers who I may need to contact all at once who are in various systems, it is much better for care coordination to do a group email with all my providers.
  • Privacy: Most portals allow my messages to be redirected through an assistant or nurse in the clinic before getting to the provider. While this is allowed under HIPAA, for various reasons I prefer that my information go directly to the provider and that fewer individuals have access to that information within the practice. Privacy can also be an important part in establishing trust and providing trauma-informed care.
  • Attachments: Sometimes I have information that I’d like to share with you, like old medical records or images of a current health issue. Unfortunately, I cannot always attach this information via portals which may have specific file format limitations or may not allow me to upload files at all.
  • Character limit: Most portals have a word count limit that may not allow me to write in as much detail as I need to address my care. If I have multiple issues to address or more in depth questions than most, character limits make it hard to communicate with you effectively and efficiently.
  • Safety and Security: In an age where phishing attacks that include viruses, malware, and ransomware are rampant, it is prudent for patients to be wary of emails they receive with attachments or that ask them to “click here.” Portals send email messages to an account asking them to “click here” to access their electronic health record via a portal. These emails can be easily replicated by hackers and result in disastrous consequences.Furthermore, if a ransomware virus were to attack a system, the likelihood that they would target the EHR where there is a high volume of sensitive information would be more likely. No system is completely safe or secure regardless of level of encryption.  With those risks in mind, institutions must do their best as is required by HIPAA.  But hackers also work hard to infiltrate systems and they are much more likely to go after targets that yield more information per attack than to attempt to access areas where less information is kept.
  • Encryption: Providers often push back against the use of email saying their email is not secure. While HIPAA does not require encryption, it is prudent for all offices to encrypt their emails or use a HIPAA compliant emailing system. Not having encryption, though, is not a reason to prohibit the use of email with patients. As noted above, providers need only explain that there are risks to using email and that it may be less secure before engaging in email communications.
  • Disability: Various disabilities can make it hard to discuss my issues via phone or to access a portal. Requesting to use email can be seen as an accommodation request under federal disability laws.

Providers often say that using email places a bigger burden on them because they may not check their email often, their inbox is very full, or they miss emails because they are not prompted by an EHR system of a patient’s message. These are valid concerns but do not take away a patient’s right to use email if requested. And while it may be a change in pace to accommodate email, we can all agree that each patient has unique needs that require different approaches to care in order to achieve the best care outcomes. For me that approach is using email.

I appreciate your time and understanding.

[1] https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/

[2] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/

#FB00763

Cough syrup

#FB00896