TILT Magazine

Page 29

w w w . on l in e t h e r a p y instit u t e . c o m

Counselors who don’t transmit their clients’ private health information to assess eligibility under a health plan are unaffected by the HIPAA regulations. See 68 Fed. Reg. 8372 (“Health care providers that do not conduct electronic transactions for which standards have been adopted are not affected by these regulations.”). For those who do use their client’s private health information for the transactions above, HIPAA's Privacy Rule will aim to protect all "individually identifiable health information held or transmitted by a covered entity . . . in any form or media, whether electronic, paper, or oral." This information, including demographic data, includes records of the individual’s past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. The two primary general requirements under the HIPAA security rule are that covered entities must: • Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. Covered entities “may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications . . .” 45 C.F.R. § 164.306. In other words, using a program to encrypt emails would be one method, but other methods of protection are allowable.

LEGAL BRIEFS

The HHS makes it clear that simply "using electronic technology, such as email, does not mean a health care provider is a covered entity." Rather, "the transmission [of protected health information] must be in connection with a standard transaction." (HIPAA Privacy Rule Summary, p. 2).

Yale University, for example, has established certain guidelines for its healthcare professionals that require any patient-professional electronic communications to be transmitted using a "secure messaging service." This type of service does not encrypt the message. Rather it stores the message on a secure server for retrieval by the recipient upon notification that a new message is waiting for him or her. Yale’s protocol allows patient-provider communication by standard email, but only after the patient consents to the increased risk, and all emails must contain a privacy notice. Regardless of how clients’ private health information is used, online counselors are well advised to take certain precautions, especially if any of the information transmitted to clients may eventually be used in one of the HIPAA-covered transactions. Indeed, it is simply prudent to do what you can to safeguard your clients’ private health information--I’ve written elsewhere about legal reasons you would want to do that. And if you’re using secure email for clients that involve health insurance, you may as well use it for all of your clients. In sum, HIPAA requires that your clients' private health information be protected in some fashion if you transmit it for certain insurance-related purposes. It does not mandate encryption for all health-related communications regardless of the context. Still, if you

T I L T MAGAZ I N E N ov e m b e r 2 0 1 0

29


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.