HIPAA Compliance Spotlight: Guidelines for Electronic Communications

Written by Abby Nieten on January 25, 2018

Posted in Healthcare, IT + Security

If you work in the healthcare industry, HIPAA is king. But with countless guidelines, harsh blind spots, and steep consequences for violations, it can be a tough king to serve—particularly when it comes to electronic communications like email and social media.

HIPAA applies to both the storage and transfer of electronic protected health information, so electronic communications that may include patient data must be handled with care. This includes email communication between patients and healthcare providers, as well as social posts from healthcare companies and their employees. As more patients adopt an email communication preference and more healthcare providers succumb to the pressures of maintaining a social presence, the possibilities of HIPAA violations grow.

To ensure you’re taking the necessary steps to uphold HIPAA compliance standards in your electronic communications, follow these guidelines:

#1: Validate Your Email Security

If you’re sharing sensitive patient data via email, you must use encryption to protect patient privacy. How do you ensure your emails are encrypted and fully HIPAA compliant? Here are a few tips:

  • Adopt a HIPAA compliant email service.
  • Check your current email client for an encryption security setting and request a signed business associate agreement.
  • Set up a secure patient portal for provider-patient communications.
  • Avoid including electronic protected health information (ePHI) in the body of your emails.
  • Manually encrypt any ePHI files sent via email.
  • Include a privacy statement at the bottom of every email.

#2: Get Proper Patient Consent

Consent is an important—and necessary—part of ensuring patient privacy. If you want to engage patients in any sort of electronic communication, you must get them to accept the inherent risks and provide documented consent. Here are some scenarios where this consent is a must:

  • Before communicating with your patient via email
  • Before transmitting any sensitive patient data via email
  • Before publishing a patient testimonial on your website
  • Before sharing a patient photograph on your social channels
  • Before posting details of a patient procedure on your social channels

#3: Create Detailed Office Policies

To ensure HIPAA data privacy remains a top priority for employees during email or social media exchanges, you should develop clear office policies for these types of communication. Here are some of the guidelines your policies should include:

  • When and where to share privacy statements
  • What types of information may or may not be sent via email
  • How to avoid HIPAA pitfalls when using social media
  • Which employees may or may not transmit ePHI
  • When to obtain patient consent

#4: Err on the Side of Caution

If you want to stay on the right side of HIPAA, the best policy is to be extremely cautious about the information you share electronically. Simply avoid any electronic communication that falls into a HIPAA compliance gray area. Here are a few best practices to get you started:

  • Don’t publish a social post that includes any details about a patient’s circumstances
  • Establish appropriate electronic boundaries with patients
  • Don’t give medical advice via email or social comment
  • Allow just one or two individuals to post to social media on your office’s behalf
  • Don’t address complaints on social media

Formstack offers HIPAA compliant online forms that can help you securely collect and transmit patient data. Click below to learn more.