Paubox blog: HIPAA compliant email made easy

How Paubox can help with HIPAA Right of Access

Written by Kapua Iao | July 13, 2021

Did you know that Paubox can help with the HIPAA Right of Access Initiative? HIPAA (Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve health coverage standards and combat fraud and abuse related to  protected health information (PHI). The HIPAA Privacy Rule establishes an individual’s right to access their PHI, which is why the U.S. Department of Health and Human Services Office for Civil Rights (OCR) created the HIPAA Right of Access Initiative in 2019 to support such requests.

RELATEDWhat is HIPAA? Or is it HIPAA? So how exactly can Paubox help covered entities make sure their patients have access to their own data while remaining HIPAA compliant?

 

HIPAA Privacy Rule

 

The HIPAA Privacy Rule (2003) created national guidelines for the protection of health records. Under the rule, healthcare providers must establish appropriate safeguards and set limits on PHI use and disclosure. More pointedly, the Privacy Rule spells out patients’ rights on accessing their own PHI. Upon request, a healthcare provider must provide an individual’s PHI, called a designated record set, within 30 days. Organizations may only charge a reasonable cost-based fee. A designated record set is comprised of:
  • Medical and billing records
  • Enrollment, payment, claims adjudication, and case or medical records
  • Other records used by a covered entity to make decisions about an individual

 

The Privacy Rule excludes some records, such as those kept to make certain quality assessments or general business decisions. This comprises two “expressly excluded” categories:

  • Psychotherapy notes (personal notes written by a mental healthcare provider)
  • Information compiled in anticipation of a civil, criminal, or administrative action or proceeding

 

A covered entity may deny access to these two types of records, but it must send a written explanation and all allowable records within the 30-day time limit. Improperly providing PHI or ignoring an individual’s request might result in an OCR investigation and HIPAA violation.

 

HIPAA Right of Access Initiative

 

OCR enacted the HIPAA Right of Access Initiative in 2019 to support individuals seeking copies of their medical documents. As of June 2021, OCR has settled 19 cases with healthcare providers for failure to provide access for a variety of reasons.

RELATED: OCR HIPAA enforcement continues during pandemic

Providing access to personal records creates happy, engaged patients who are more likely to play a role in personal health and care. According to HHS’ Right of Access guidance, “Putting individuals ‘in the driver’s seat’ with respects to their health . . . is a key component of health reform and the movement to a more patient centered health care system.” Patients make a claim to OCR if a healthcare provider fails to timely provide access. OCR may then offer the non-compliant organization "technical assistance" to facilitate access. If nothing changes, OCR will more than likely find the healthcare provider in violation of HIPAA. Which means signing a resolution agreement, paying a fine, and following a corrective action plan.

“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said (then) OCR Director Roger Severino in 2020. “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

 

How does email security tie in?

 

Some healthcare providers may think they can’t or shouldn’t send requested PHI through email. Some also believe that the Privacy Rule does not allow electronic communication, but this is not the case. In fact, HIPAA requires a healthcare provider to share PHI in the form and format requested. The Privacy Rule (and the Security Rule) offers guidelines for sending and receiving electronic PHI (ePHI) securely, including via email.

RELATED: Understanding and implementing HIPAA rules

Email security is a comprehensive set of safety measures to secure email communication in storage and in transit, both inbound and outbound messages. Strong email security is necessary because email is the number one threat vector (i.e., access point) into any system.

 

Protect and secure—Paubox Email Suite

 

With Paubox Email Suite, healthcare providers safely transmit ePHI via email because our patented software automatically encrypts all outgoing messages by default.

RELATEDHow to get employees to use encrypted email

We recently also added a  Zero Trust Email feature for our Plus and Premium customers. Zero trust provides an extra layer of protection that ensures incoming messages are genuine and not malicious in any way.

RELATED: Why America needs zero trust email

Paubox Email Suite easily integrates with other email platforms such as Google Workspace and  Microsoft 365. No need for patient portals or third-party apps to send HIPAA compliant email to patients. In other words, Paubox is perfect for healthcare providers needing to provide patient access to their PHI without stress or fuss. Avoid data breaches and HIPAA violations by choosing strong cybersecurity from the beginning. Look into Paubox today to ensure you are on the right side of OCR’s Right of Access Initiative.