Originally posted on https://www.eoshost.com/hipaa-rules-direct-mail/
Are you a healthcare provider or business that is required to send private medical information to patients?
Direct mail seems like an easy method until you stop to consider HIPAA rules. It’s your job to be aware of HIPAA exceptions and rules so you don’t break them.
We have your HIPAA primer for handling direct mail.
What Is HIPAA?
Privacy is essential in the healthcare industry. No one wants their private medical information shared without their consent. For this reason, the “Privacy Rule” was established by the U.S. Department of Health and Human Services in 1996.
The Health Insurance Portability and Accountability Act (HIPAA) applies to entities that provide healthcare services.
Entities affected by HIPAA include:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
The rules were created in order to protect the private health information (PHI) of individuals.
The 411 on Private Health Information
In order to avoid violating HIPAA, you need to understand the concept of private health information and be fully informed about what is considered PHI.
PHI is any information that could potentially identify an individual and his/her medical records, including:
- Locations (state, city, street name/number, address, zip code)
- Dates (birth date, admission/discharge dates, death date, dates that indicate age)
- Phone and fax numbers
- Email address
- Social Security numbers
- Medical record numbers
- Health plan numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Internet Protocol (IP) addresses
- Biometric identifiers, such as fingerprints or voice recognition
- Full facial images or any comparable images
Basically, anything that could help someone determine a person’s identity is considered PHI.
The Challenges of Sending Medical Information
Patients and other providers need to know certain information in regards to possible medical conditions or treatment. The information must be sent, either by email, fax, or through the mail. The problem comes in sharing “need to know” information without violating HIPAA regulations.
How can you stay compliant? Let’s look at the various methods for sending medical information.
Send by Email
Patients and providers often appreciate the ease of emailing medical information. Data can be delivered in seconds without having to print or mail anything. Easy right?
Wrong. Certain encryption standards must be met.
The most popular email systems like Gmail, Microsoft Exchange, and Outlook use SSL or TLS encryption protection. Encryption means the information is disguised so an unauthorized person cannot read it. However, SSL and TLS alone do not provide enough protection.
If you’re sending medical information via email you must:
- Encrypt the PHI
- Have a method of verifying the identity of the person who is authorized to receive the information
- Have a method of revoking access to the information when it’s no longer needed or if you sent the information in error
In order to comply, you would need a specialized email encryption service. These services add extra protections to secure PHI and ensure only the authorized person can access it.
Send by Fax
Faxing PHI is another quick and easy method; however, it can be problematic. Often, fax machines are kept in a public area. Incoming faxes might sit in a tray for hours until someone comes to check. In turn, anyone walking by can see printed faxes sitting out in the open.
HIPAA fax rules must be applied in order to ensure that only the authorized person receives the PHI:
- Fax machines should be kept behind a locked door
- Faxes should be stored in the machine’s memory and only printed by an authorized user
It is possible that the insecure nature of fax machines—and the growing use of email—may soon render faxing of PHI obsolete.
Send direct by US Mail
The final method for sending PHI is through the mail. Here too you must comply with HIPAA rules. In some cases, PHI should even be sent by certified mail, which means the intended recipient needs to sign for it.
Certified mail provides prove that the mail was delivered and verifies when it was received. It also ensures you have a record of everyone who received the information in case the patient ever asks or if you are ever audited for compliance.
First class mail is a protected class of mail and is acceptable for certain types of notices. Lastly you should never use standard mail under any circumstance when sending PHI.
There Are HIPAA Exceptions
As with any rule, there are always exceptions. The HIPAA Omnibus Final Rule introduced a number of updates in 2013. The updates cover entities that create, store, receive, or transmit PHI.
The new rules apply to entities that store electronic information as well as physical records.
HIPAA Conduit Exception Rule
The main HIPAA exception has to do with entities that are classified as “conduits.” In this case, the definition of a conduit is an entity that only transmits or transports PHI.
- US Postal Service, UPS, Fed-Ex, DHL
- Couriers and electronic equivalents
- Internet service providers (ISPs)
These conduits cannot have access to the actual PHI, and they can only store it temporarily. The exception allows for a distinction between organizations that transmit information versus those that provide ongoing storage. HIPAA differentiates them as “transient vs. persistent.”
Who Is Not Included in the HIPAA Exception?
The HIPAA Exception does not apply to providers that provide faxing or emailing services to transmit or transport medical information. It also excludes organizations or businesses that store electronic PHI (ePHI).
Such entities are considered business associates (BA), and they must sign a BAA. BAs might include cloud hosting companies and fax, email, or SMS providers.
If you are working with an entity that provides these services and they will not sign a BAA, you should be very careful. Some will add CE protections like disabling automatic forwarding of emails and disabling SMS texting.
While this absolves them from having to sign a BAA, your organization could still be at risk of noncompliance.
EOS Can Help with Printing and Mailing Services
We are your one-stop-shop for marketing, printing and mailing services. If you are engaged in HIPAA mailings or any other healthcare marketing endeavors, you need a partner who understands the game. We offer an extensive range of services, and our knowledgeable team stays on top of the ever-evolving HIPAA exceptions and rules.
Contact us today to learn more about healthcare solutions.