Disclaimer: I am not a lawyer and do not offer legal advice. The others quoted in this post are offering general information or interpretation and not specific legal advice or any statement of fact.
For more background on this topic, check out my previous post “Practice Fusion Violates Some Physicians’ Trust in Sending Millions of Emails to Their Patients”
When I first started looking into the millions of emails that Practice Fusion was sending to patients, doctors were suggesting that these emails constituted a HIPAA violation. Practice Fusion has responded in my previous post that “The patient email reminder and feedback program is absolutely HIPAA compliant, under both the current and new Omnibus rules. We conduct thorough compliance research with every single new feature we launch.” I wanted to explore the HIPAA concerns regarding emails like these, so I talked to a number of HIPAA lawyers and experts. I believe the following look at HIPAA and emails will be informative for everyone in healthcare that’s considering sending emails.
Before I go into a detailed look at sending emails to patients, it is worth noting that under HIPAA emails can be sent to patients by doctors if the doctor has used “reasonable safeguards” and patients have agreed to email communication with their doctor. The following is a great HHS FAQ on use of email and HIPAA where this is outlined.
This leaves three HIPAA related questions:
1. Is Practice Fusion legally allowed to use the information in their EHR to send these emails?
2. Does the email contain Protected Health Information (PHI) that is being sent in an unsecured and not encrypted email?
3. Can Practice Fusion publish the provider reviews on their website?
Is Practice Fusion legally allowed to use the information in their EHR to send these emails?
The core of this question is whether the Practice Fusion user agreement (the version publicly available on the Practice Fusion website) allows the use of patient data contained in the Practice Fusion EHR for sending out these emails. Following are comments from William O’Toole, founder of the O’Toole Law Group regarding the user agreement:
I am not providing specific legal advice or opinion here, and I have no strong feelings about Practice Fusion one way or the other. That said, I find this issue extremely interesting and hope I can provide some direction and some interpretation of the law. Capitalized terms are defined under HIPAA and by now are familiar to all, so I will not define or elaborate.
The Practice Fusion Healthcare Provider User Agreement includes a section that, as between Practice Fusion and its customers, grants Practice Fusion the right to use a provider’s PHI (though I argue it is not the provider’s, it is the provider’s patients’ PHI, but I digress) to contact patients on the provider’s behalf, for various purposes, including “case management and care coordination” which is legally permitted. The conclusion can be easily drawn that Practice Fusion (or any other vendor doing the same) relies on this connection in claiming that its patient email is permitted under this section of the law, even if it contains PHI. Note – the topic of secure email is left out of this discussion.
Based on the user agreement, it seems like Practice Fusion is allowed to send out these rating and review emails to patients. William O’Toole does offer a reminder for providers:
This is an important message for all providers to read and understand the user agreements they sign.
Does the email contain PHI that is being sent in an unsecured and not encrypted email?
You can see the contents of the ratings emails here (Note: The masked area is the name of the physician). Here’s Mac McMillan’s, CEO of CynergisTek and Chair of the HIMSS Privacy and Security Task Force, analysis of the emails:
The issue here is whether or not by the information included you can discern any protected information about the individual(s) involved. On the surface the email appears benign and does not include any specific Protected Health Information (PHI) and if coming from a general practitioner it would be near impossible to guess let alone determine for sure the purpose of my visit or my medical condition. Meaning I could have gone there for something as simple as a checkup, to refill a prescription, or I could have gone there for treatment of some ailment, but you don’t know and can’t tell by this simple email. Some would argue that this is no different than when Physicians communicate with their patients now via regular mail or email. The problem though is that not everyone may agree with this, and the consumer who may not be thinking rationally may take issue under certain circumstances. For instance, what if the email came from Planned Parenthood to a seventeen year old, or an AIDS clinic, or a specialty center handling a certain form of cancer, or a psychiatrists office? In these cases just the name and the identity of the covered entity potentially provides insight into the individual’s medical condition and therefore their personal health information. A patient might, whether legitimate or not, attempt to make the case that their privacy has been violated if others were to see this email who were not intended to like other family members, neighbors, employers, etc. I think this is really stretching it, but who knows how a Privacy attorney might see it?
Can Practice Fusion publish the provider reviews on the Patient Fusion website?
Hopefully this discussion around emails in healthcare will help more companies understand the intricate HIPAA requirements for email communication with patients. I see email communication increasing over the next couple years as more doctors realize the benefit of it. Plus, a whole new generation of patients wants that type of communication with their provider. We just have to make sure that we continue to respect patient’s privacy in the process. Making sure your emails are HIPAA compliant is not a simple task.
Practice Fusion sent me the following comment:
Practice Fusion’s goal is to create transparency in healthcare without compromise. It is critical that patients seeing any doctor on our platform understand the quality of their doctor. And, therefore, doctors using our free online scheduling application are required to make their reviews available to the public. Practice Fusion offers the only service on the market that validates a patient review was based on an actual visit. No PHI is ever shared in these communications.