Cloud solutions that are HIPAA compliant for private practice

HIPAA compliance is a major headache for setting up the tech infrastructure for a new private medical practice. While the intent of the law is great (protect patients!), the regulations of HITECH and HIPAA are really confusing. Simply put, you need to be able to interpret issues at the intersection of medicine, law, and computer science.

Here are three tips to help make sure you’re HIPAA compliant.

1. Google Apps and Amazon AWS are now eligible to be HIPAA compliant as of September 2013!

This is a big deal. Gmail and Google Calendar are clearly the easiest way to set up a small private practice with top notch email/scheduling, and Amazon AWS is the tech infrastructure of choice for many companies. Previously, the two companies refused to sign a “Business Associates Agreement” (BAA) which outright excluded them from being HIPAA compliant. However, they now sign them. So, you can now use Google Calendar for scheduling, hooray! Make sure to get the form signed by Google.

Friendly reminder: I don’t think this means you should just go to google.com and sign up for a new account. For the HIPAA compliant one, make sure to create a Google Apps account and then spend  time locking down privileges and making the overall account  compliant with the parts of HIPAA related to access control, etc.

2. Email should basically never have ePHI / customer information, but sometimes it can. (Confused yet?)

If you use Google Mail, that’s fine — you can send all the emails you want, as long as it doesn’t contain ePHI to start. The one interesting exception is that you can send appointment reminders as long as the patient has agreed to these emails beforehand. Here’s a post from EHR company practicefusion:

So, even though an emailed appointment reminder is, technically, PHI, it can be done routinely if there is consent by both parties to do so. A patient must be allowed the ability to opt-out of email reminders – application developers need to include this, and not build something that forces a blanket approach for everyone. In fact, setting “patient contact preferences” (email, phone, regular mail) is a Meaningful Use and Certification requirement, and addresses this issue. So long as there is mutual understanding and consent to use unencrypted email for certain “non-health data” communications, then such a feature is ok (despite “technically” being PHI).

The clearest governmental document about email is here: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf

Nuggets in that document:

a) It looks like a physician can email another physician with PHI as long as it is for the purpose of “treatment”.

Yes. The Privacy Rule allows covered health care providers to share PHI
electronically (or in any other form) for treatment purposes, as long as they apply
reasonable safeguards when doing so. Thus, for example, a physician may
consult with another physician by e-mail about a patient’s condition, or health
care providers may electronically exchange PHI to and through a health
information organization (HIO) for patient care.

One note about this: I don’t know if it means that you can email across domains — e.g. the email sender and recipient most likely need to have the same email address domain (like @yourhospital.com). I think this is a grey area.

b) It seems pretty clear that email can never be used by a physician to initiate a discussion with a patient including ePHI.

It’s confusing because the FAQ says that yes, you can use email, but you still have to comply with the “security rule”. I read the security rule as saying that ePHI must always be encrypted, and email isn’t during transmission. So, what I think the FAQ is trying to say is that a physician can use email to send non-PHI info to patients like, “Call me ASAP”, or “You have an appointment coming up.” However, PHI still needs to be kept out of email body text. The one exception seems to be if the patient starts the discussion and includes PHI — then the patient is implicitly waiving their right to the security rule, and so an email discussion can include PHI both ways.

“Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?”

Yes. The Privacy Rule allows covered health care providers to communicate
electronically, such as through e-mail, with their patients, provided they apply
reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example,
certain precautions may need to be taken when using e-mail to avoid
unintentional disclosures, such as checking the e-mail address for accuracy
before sending, or sending an e-mail alert to the patient for address confirmation
prior to sending the message. Further, while the Privacy Rule does not prohibit
the use of unencrypted e-mail for treatment-related communications between
health care providers and patients, other safeguards should be applied to
reasonably protect privacy, such as limiting the amount or type of information
disclosed through the unencrypted e-mail. In addition, covered entities will want
to ensure that any transmission of electronic protected health information is in
compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164,
Subpart C.

Note that an individual has the right under the Privacy Rule to request and have a
covered health care provider communicate with him or her by alternative means
or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For
example, a health care provider should accommodate an individual’s request to
receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a
reasonable, alternative means for that provider to communicate with the patient.
By the same token, however, if the use of unencrypted e-mail is unacceptable to
a patient who requests confidential communications, other means of
communicating with the patient, such as by more secure electronic methods, or
by mail or telephone, should be offered and accommodated.

Patients may initiate communications with a provider using e-mail. If this
situation occurs, the health care provider can assume (unless the patient has
explicitly stated otherwise) that e-mail communications are acceptable to the
individual. If the provider feels the patient may not be aware of the possible risks
of using unencrypted e-mail, or has concerns about potential liability, the
provider can alert the patient of those risks, and let the patient decide whether to
continue e-mail communications.

3. Encrypt every computer you can.

Every computer in the office should have operating system-based encryption turned on. Both Mac OS X and Windows 7 & 8 support whole-drive encryption. If you turn this on, you are going to be in a much happier place if the computer ever disappears (stolen/lost). One similar note: Amazon has a new remote desktop application called Amazon Workspaces. This looks really cool and could help make sure that PHI stays secure. The best combination is probably having the thin local computers (your desktops & laptops) have drive encryption turned on, and then have those computers log on to Amazon Workspaces. All PHI is stored safely on Workspaces (you’ll have to encrypt it there too, etc.).

That’s all I have for now about HIPAA. What a mess.

Disclaimer: I am not a lawyer, so you use any information/opinions in this post at your own risk. I take no responsibility for anything. Heh.

Update 2/9/2014: There was a lot in the news about how Box (formerly Box.net) was signing BAA’s and therefore can be HIPAA compliant. Turns out that they will only sign a BAA for their top two levels of paid service, specifically “Enterprise” or “Elite”. Since I’m working on getting a solo private practice set up, their Enterprise plan doesn’t make any sense — we literally have 1 employee, so buying anything “Enterprise” level is simply out of the question. Then the “Elite” plan is so awesome it doesn’t even have a price on the website. Enterprise costs $35/month, or $420 basically to just sign this BAA document. My recommendation for solo practices is NOT to use Box, but rather to use Google Apps for Business. The cost is $5/month, and Google will sign a BAA at that level. You get not just Google Drive (which is near as makes no difference Box), but also email, calendar, etc. It’s a far better deal.

One comment

  • July 14, 2014 - 12:56 pm | Permalink

    Great information. Thank you. Some corrections:

    No patient can give implicit authorization.
    Simply the patient’s name if it’s associated with the name of the doctor’s office, or covered entity, turns it into protected health information.

    The data has to be encrypted during transmission and secure inside the cloud, hard drives on servers.

    I was looking for information on what to turn on in Google Apps to make sure proper logging is happening on the drive and elsewhere for future auditing purposes. I need to keep track of who and what/when files a person accessed for example.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>