Friday, September 07, 2012
By Dan Schulte, J.D.
MDA Legal Counsel
From the September 2012 issue of the Journal
Question: For some time now I have been sending patient X-rays by email to specialists and other dentists to whom I have referred a patient. I read an article recently stating that doing so is illegal and exposes me to claims from these patients. The article suggests that X-rays and other protected health information can only be sent electronically if I purchase and utilize an online secure “file sharing” program. Is this true?
Answer: Not exactly. Maintaining the privacy of protected health information (including X-rays) is required by HIPAA and Michigan law. Both the HIPAA Privacy Rule and Security Rule must be complied with. These rules require that you reasonably safeguard protected health information so that it is not used in an unauthorized manner. These rules do not, however, specifically outlaw the use of email as a means of transmitting X-rays or other protected health information. You are allowed to communicate electronically, including the sharing of X-rays and other protected health information, so long as you apply “reasonable safeguards” when doing so.
Identifying what will constitute reasonable safeguards will vary from practice to practice depending on the facts and circumstances. For example, how much and what types of protected health information are being transmitted electronically? How often is protected health information sent electronically? How much familiarity do you have with the intended recipient of the protected health information?
If you are e-mailing a patient’s protected health information directly to the patient you should first obtain the patient’s consent to do so in writing. You should also have the patient verify his or her email address and disclose on the written form that the patient has taken reasonable steps on his or her end to protect the privacy of the information once it has been received.
If protected health information is being emailed to specialists and other dentists to whom you have made a referral, the same precautions should be taken. In addition, periodically you should review email addresses provided by patients and other dentists to verify that they remain accurate (especially if it has been a long time since you last used an email address).
Finally, you should know that HIPAA allows patients to request restrictions on the electronic transmission of their protected health information. For example, a patient could insist that email not be used, or if email is used that secured electronic methods (e.g., encryption or a secured file-sharing program) be used. If this is the case you must honor the patient request or not send his or her protected health information electronically.
If an unintended use or disclosure of a patient’s protected health information results from your electronic transmission of the information, your liability, if any, will depend on whether you used reasonable safeguards when electronically transmitting the information. Any liability will be minimized if reasonable safeguards were in place.
You should also know that you have an obligation to notify the affected patient any time you become aware that there has been an unintended use or disclosure of his or her protected health information. The amendments made to HIPAA effective in 2009 by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) require that the notice be in writing and sent by first-class mail unless the patient has agreed in advance to receive email communications. The HITECH Act requires that the notice be sent within 60 days of the discovery of the unintended use or disclosure. However, you should notify the patient as soon as possible to mitigate any damage caused by the unintended use or disclosure. The notice must include a description of what occurred, the date of the unintended use or disclosure (if known) the specific type of protected health information involved, and other information to put the patient in a position to best mitigate any harm or potential harm from the unintended use or disclosure.