Don’t be confused by whether changes to the HIPAA privacy rule bar sending unencrypted emails, because you still can in some cases. The HIPAA rule published on Jan. 25 will extend the HIPAA regulations to business associates (including any contractors your practice uses), and they must be in compliance by Sept. 23. However, the encryption standards have not changed, said Leon Rodriguez of HHS’s Office of Civil Rights during a Jan. 29 Centers for Medicare & Medicaid Services Open Door Forum.
If you’re communicating in this manner, “you do need to take appropriate security precautions,” Rodriguez says. While there are basic guidelines in the regulation as to what those precautions are, there’s more than one way to do it. “However, an unencrypted email would ordinarily be at a level of risk of inappropriate disclosure that would be inconsistent with the HIPAA security requirement, and therefore it would be ill-advised.”