We ( dental practitioner) have all become accustomed to communicating by way of email.
Paper and stamps are out of style now , perhaps leaving us forever. It has been common for us as dentists to electronically transmit information and radiographic and X-ray images to one another about our patients so that we can effectively and quickly stay up to date about their care. And as far as we can see , patients seem to really appreciate that discourse. They understand that it benefits their care.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards for the protection of certain health information. The Security Rule for the protection of Electronic Protected Health Information (e-PHI) establishes a national set of standards for protecting certain health information that is held or transferred in electronic form.
The Security Rule addresses the technical and non-technical safeguards that we, as healthcare providers, must put in place to secure individuals’ “electronic protected health information”. Within the department of Health and Human Services, two divisions, the Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid (CMS) have responsibility for enforcing voluntary compliance activities and can impose civil money penalties.
In 2010, the HIPAA Privacy and Security Rules were amended. One of the most remarkable modifications was in the sanctions that could be leveled against us for a breach of patient information for a violation of patients’ rights under HIPAA. When HIPAA was first enacted, the maximum penalty for a HIPAA violation was $250,000. Now, the maximum penalty is $1.5 million. Fines as well as criminal penalties can be imposed on the individuals involved.
There are 4 levels of civil penalties:
Level 1 The dentist was not aware that HIPAA compliant email was necessary. In this situation, HHS may give you a warning or fine you $100 per email that contains PHI or a maximum of $25,000 per year. At its discretion, it may increase the maximum fine up to $50,000 per year. It's typically a slap on the hand and you will most likely not be charged with criminal penalties.
Level 2 If you are aware that you need HIPAA compliant email, but yet you still continue to use non-compliant email to send PHI, HHS will fine you $1,000 per email containing PHI or a maximum of $10,000 per year and may refer your case to the Department of Justice (DOJ) where they can press charges against you for wrongful disclosure of individual identifiable health information. In addition to civil penalties, DOJ may fine you up to $50,000 and up to 1 year in prison.
Level 3 If you use a HIPAA compliant email service but you do not follow its policies and best practice procedures, this is considered willful neglect. This means that you understand what you are supposed to do per the instructions of the compliant email service provider, but yet you choose not to do it. An example of this would be forwarding emails to a non-compliant email service or vice versa, or refusal to use supported email software or devices to make your email communications secure and compliant. HHS will fine you $10,000 per email containing PHI or a maximum of $100,000 per year only if you are willing to correct your situation and may refer your case to the Department of Justice (DOJ) where they can press charges against you for wrongful disclosure of individual identifiable health information. In addition to civil penalties, DOJ may fine you up to $100,000 and up to 5 years in prison.
Level 4 Identical to tier 3 except you refuse to correct your situation even after being warned by HHS. This is the most severe case where you are willfully neglecting HIPAA compliant requirements. HHS will fine you $50,000 per email containing PHI or a maximum of $1.5 million per year and may refer your case to the Department of Justice (DOJ) where they can press charges against you for wrongful disclosure of individual identifiable health information. In addition to civil penalties, DOJ may fine you up to $250,000 and up to 10 years in prison. These are not empty threats. The Department of HHS recently (April 17, 2012) levied a hefty fine against an Arizona group of physicians to purposely send a message to small healthcare provider practices. The cardiac surgeons had to enter into a resolution agreement to take corrective action and pay a $100,000 fine. Leon Rodriguez, director of the HHS Office of Civil Rights stated that, “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” Have I gotten your attention yet?
|Individual unaware of violation||Up to $50,000 per violation, up|
|Violation per reasonable cause, not willful neglect||Up to $50,000 per violation, up to $1.5 million total per year|
|Violation due to neglect, but corrected within allowed timeframe||Up to $50,000 per violation, up to $1.5 million total per year|
|Violation due to neglect, left uncorrected||$50,000 per violation, up to $1.5 million total per year|
There are several suggestions that I can offer to aid you in becoming a HIPAA compliant dentist:
Secure Your Email and attachment
Consult with Registered and approved HIPAA Email and cloud provider or re seller. make sure you approve proper HIPAA compliance document.
Secure Your Network
If the computers in your office are networked, make certain the you have a firewall in place to exclude cyber hackers and others who may be able to intercept email exchanges. You should also have virus protection against viruses that can download information.
Accurate Email Addressing
When sending an email it is imperative to make sure the address is accurate for the recipient. This will reduce the chance of accidentally sending an email with patient information to an unintended recipient, thereby causing a HIPAA violation. This is a “no brainer”.
These are messages at the bottom of the email that explain that the information in the email is private and confidential. Notices inform recipients that they should not forward or share the information with people who are not privileged to have it, according to HIPAA regulations. Additionally, email notices let recipients know that if they are not the intended recipient, and the email came to them accidentally, that they should notify the sender immediately. The message that I send with each email is:
“This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.”
You should also include a heading preceding notes regarding healthcare communications stating “Confidential Patient-Related Information”
Fulfill this HIPAA condition, I have started using a service which encrypts my uploaded email messages prior to sending them on to the recipient. In addition, the receiving party is required to insert a password (which I give out in advance) before opening the downloaded message
In summary, while this brief article is not intended to cover the totality of the HIPAA laws, it is hoped that it gets you on the right path to avoid civil or criminal penalties.
We have all rightfully become somewhat dependent on email to converse regarding patient care. It is the future of healthcare communication. This is a good thing and, as I tell patients, it puts all of us contributing to a patient’s care on the same page.
With a small bit of interception action on our parts we can hopefully continue to do good for those healthcare recipients while avoiding having our wallets depleted by HHS.