I was recently asked whether the sending of an unencrypted group email to participants in a health-related support group violated HIPAA. Faithful blog readers can guess my first question: “Was the sender a covered entity, business associate, or subcontractor?” Many support group entities are non-profit organizations staffed by volunteers and do not meet the definition of a covered entity “health care provider” (or other type of covered entity) under the HIPAA regulations (see 45 CFR 160.103). Participants in support groups may expect the fact that they participate in the group and the information they disclose to be held in confidence by the organizers and other participants, but HIPAA may or may not protect that information. (Whether other federal laws, state laws, or codes of ethics may protect the privacy of the information is beyond the scope of this post.)
When HIPAA applies, support group organizers (and other providers) should remember to use caution when sending group emails. Does the group email list the email addresses of other participants? Not only does this listing of participant email addresses, by itself, potentially constitute protected health information (PHI), but a participant’s inadvertent “reply all” message (intended for a support group therapist alone, for example) raises sticky HIPAA issues. Health information disclosed by the individual to another support group participant falls outside the definition of “individually identifiable health information” under the HIPAA regulations and so is not HIPAA-protected PHI. Still, a covered entity should be very careful to limit how and when email and social media are used to communicate with both individual patients and members of a support group. While it does not solve the problem, perhaps all messages sent to more than one participant by a support group organizer should be sent as a “bcc” to limit disclosure.
The U.S. Department of Health and Human Services addressed whether covered entities have a “duty to warn” individuals that agree to receive unencrypted emails as a means of communication in the Omnibus Rule adoption:
“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree [with some commenters] that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome … We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party … .” [78 Fed. Reg. 5566, 5634]
Covered entities, business associates and subcontractors that get an individual’s permission to communicate via unecrypted email might want to include some type of bold warning as to limits of HIPAA protection. Although voluntary participants in support groups may seem most likely to understand and have agreed to disclosure and use of their PHI within the group, it’s important to set ground rules and remind participants as to when (or whether) HIPAA applies – particularly if email or social media is involved. Before accepting email addresses or allowing individuals to participate in any other unencrypted means of electronic communication, a covered entity might want to put its HIPAA warning — or disclaimer — in big, bold, easy-to-understand writing.