Question: I recently heard that the HIPAA privacy rule was changed and it now prohibits our practice from sending unencrypted emails. Is this accurate?
Answer: No, not necessarily. The HIPAA rule published on Jan. 25 will extend the HIPAA regulations to business associates (including any contractors your practice uses), and they must be in compliance by Sept. 23. However, the encryption standards have not changed, said Leon Rodriguez of HHS’s Office of Civil Rights during a Jan. 29 CMS Open Door Forum.
"If you are making communication with the patient in this manner, you do need to take appropriate security precautions," he said. "While there are basic guidelines in the regulation as to what those precautions are, there’s not only one way to do it. However, an unencrypted email would ordinarily be at a level of risk of inappropriate disclosure that would be inconsistent with the HIPAA security requirement, and therefore it would be ill-advised," he added.