According to HIPAA expert Nancy Wheeler J.D., of the American Counseling Association, when sending PHI (Personal Health Information) by email – and this is likely to include any email that identifies the recipient as a client / patient of a counseling practice, a counselor may use email only if a client has been advices of the risks and unsecured nature of email communication and still requests the use of email communication.
Note: the above description for email communication applies to normal “unencrypted” email communication. Encrypted email communications may not necessitate any of the above disclosures or agreement from clients, if the encryption meets standards acceptable my HIPAA, including 128 bit encryption.
Let’s keep in touch! Sign up to receive our newsletter:
Anthony Centore
Just remember that Covered Entities and Business Associates should be focusing on the true merits of HIPAA compliance, and that’s putting in place documented HIPAA information security and operational policies, procedures, and processes. I’ve worked with so many healthcare providers that lack the basic and fundamental documentation for HIPAA compliance, therefore it’s easy to see why non-compliance issues are still a major factor with HIPAA. I also hear healthcare companies express cost concerns about developing such documents, along with implementing risk assessment and security training initiatives, but with all the free and cost-effective tools available (some of them straight from hhs.gov!), there’s really no excuse for not being HIPAA compliant. Everyone needs to be ensuring the safety and security of PHI, it’s really that simple.