Einstein HIPAA

HIPAA requires that all protected health related information transmitted over public networks, such as the Internet, remain private and that steps be taken by health care providers to keep this information from being disclosed to the public. Protected health related information includes all clinical information such as medical history, lab results, pharmacy prescriptions, etc. Non-protected information includes items such as procedure costs or billing information. Since practice web sites provide for email correspondence from potential or current patients that may contain protected health information, practice web sites must be HIPAA compliant.

For the practice web site to meet the HIPAA requirements, it must include certain components. First, it should include the federal and state HIPAA guidelines and disclaimers. Second, it should provide the practice privacy notice, which, in turn, should define exactly what comprises protected private information and outline how and when this health information can be released, such as for purposes of billing a health insurance company or to communicate with a diagnostic testing facility (i.e. x-rays, MRIs, CAT scans, etc.). Thirdly, if the practice web site does not include a secure email network, it should provide an email privacy warning statement informing the patient that the email network is not secure and that private health related information should therefore not be sent over the network.

Additionally, HIPAA has established a deadline of April 5, 2005 for all health care providers to implement secure networks for the transmission of all private health information, including information contained in email correspondence. For information transmission to be considered secure, three elements are necessary:

1) Authentication – identification of the senders/receivers of the information (i.e. must have a unique username)
2) Non-repudiation – verification that the senders/receivers of the information are who they say they are (i.e. must use a password)
3) Integrity – verification that information cannot be tampered with in transit (i.e. the information is sent through a network that cannot be easily “hacked” or “broken into”)

In other words, to be considered “secure” under HIPAA guidelines, the email network used by the practice must require that users have both a unique username and password and take steps to ensure that data is transmitted over the system in a way such that it cannot be easily intercepted by an entity outside the network. Einstein has implemented a secure email network that meets these criteria. This network is similar in design, function and security to those used by the banking and financial industries for monetary transactions over the Internet.

Posting an email privacy warning statement on the practice web site is unnecessary so long as the web site’s email is transmitted over a secure network; however, a consent statement is still needed. The consent statement informs the sender that he or she has entered a secure network and requests the sender’s “consent” to transmit private, protected health information over the network.