Recently, I receive a frantic email from an orthodontic client. A team member had emailed a patient’s diagnostic letter to the referring dentist. But the patient had specifically stated she did not want any of her information emailed unless it was encrypted.
To make matters worse, the unencrypted email was discovered by another employee. Despite annual HIPAA training, the noncompliant employee had not voluntarily admitted her error.
If you were this doctor what would you do next? Ignore the situation? Tell the patient? Wait for the patient to mention it?
Risk management implications
Under the Privacy Rule, patients have a right to request confidential communications and in this case the doctor agreed. This is not an unreasonable request, especially when unencrypted email is used — as was the case for this office.
The protected health information was shared for treatment purposes, which is permissible under the Rule, as long as appropriate safeguards are used to protect the patient’s privacy. Remember, email travels through cyberspace completely in the open – all of it is readable by anyone who can monitor network traffic or access email accounts. The only safe harbor the Department of Health and Human Services recognizes is encryption.
However, that leaves the issue of whether or not to tell the patient.
The doctor and I agreed that the patient needed to be informed and an apology was in order. A letter was sent, followed by a phone call. Surprisingly, after listening to the dentist explain the situation, the patient stated she already knew this had occurred and that she appreciated the doctor’s honesty.
What if the doctor had gambled and didn’t tell the patient? Consider an alternate ending to this incident:
After learning from the receptionist at her general dentist’s office that her information had been emailed, the patient becomes angry and exercises her right to file a complaint with the Office of Civil Rights (OCR). Suddenly the doctor is being investigated by the OCR, with the possibility of steep fines and damage to his business reputation.
Which ending did you choose? In the end, there are two morals in this situation. First, knowledge — and implementation — of the Privacy Rule is imperative. Second, honesty is the best policy. It promotes your philosophy of care and will save you headaches in the long run.