Icenogle & Associates, LLC
Providing Comprehensive Health Law Services Throughout Wisconsin

August 2014 Archives

Does e-mail sent to patients have to be encrypted?

Many physicians are being asked by patients to communicate via email and that raises various privacy, HIPAA, and physician liability questions.  Do email communications violate privacy regulations or whether, if you can use e-mail, must the e-mail be encrypted?  The short answer to the first question is yes, you can communicate with patients via e-mail.  The answer to the second part is more difficult.  You can, under HIPAA, communicate via unencrypted e-mail but only if the patient has been notified of the risk and agrees.  From the HIPAA Final Security Rule comments on January 25, 2013:  "We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the ''duty to warn'' individuals of risks associated with unencrypted email would be unduly burdensome on covered entities and believe this is a necessary step in protecting the protected health information. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual's request. Further, covered entities are not responsible for safeguarding information once delivered to the individual."  Beyond HIPAA, you cannot just ignore possible state laws on privacy and physician liability.  However, in this case, in Wisconsin, there is no further state law on the subject.  So yes, if you have notified the patient's of the risks you can send unencrypted email.  The notifications required can be learned by contacting your health law attorney. 

Assistant Physician, not Physician Assistant

In a move that creates some confusing liability issues for physicians, to say nothing of quality of care issues for patients, the State of Missouri has now allowed for a license called an "assistant physician" to be issued to someone who has been graduated from any medical school and has completed steps 1 and 2 of the USMLE but has not completed any residency training.  These folks will be allowed to call themselves "doctor" and be allowed to practice as regular doctors.  Interestingly, the state of Missouri has traditionally placed more restrictions on nurses than most states and does not allow for independent practice by advanced practice nurses as many states have done to help ease the primary care physician deficit.