Category Archives: HIPAA


HIPAA regulations for Email

This is the most debatable topic since the changes were enacted in the Health Insurance Portability & Accountability act in 2013. Particular relevance is the language of the HIPAA Security Rule; which, although not expressly prohibiting the use of email to communicate PHI, introduces a number of requirements before email communications can be considered to be HIPAA compliant.

There are few things which need to be keep in mind like HIPAA email rule always require covered entities to implement access control, integrity control, ID authentication & transmission security have to be fulfilled in order to Restrict all the access of PHI.

Need to monitor how PHI is communicated. Have to ensure that Integrity of PHI at rest. Ensure 100% message accountability & have to protect PHI from unauthorized access during transit.

Most of the HIPAA covered entities have put forward the argument that encryption is sufficient to ensure HIPAA compliance for email. Although, HIPAA email rules always do not just cover encryption.

Encryption alone does not fulfill the audit control requirement of monitoring how PHI is communicated or the ID authentication requirement to ensure message accountability.

Moreover some required functions are like such as creation of an audit trail and preventing the improper modification of PHI is complex to resolve.

So, although emails can be HIPAA compliant, it requires significant IT resources and a continuing monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email. HIPAA compliance for email is not always essential if an organization has an internal email network protected by a proper firewall.

HIPAA regulations for email do not ban sending ePHI by email, there’s still an issue of how to send emails and remain HIPAA compliant.

Although the new regulation considered the sending of ePHI by email an “addressable” code, it was not proposed to be an “optional” consideration – somewhat one which had to be obeyed with if organizations were to avoid undecorated financial penalties from a breach of ePHI.

Is it a HIPAA Violation to Email Patient Names?

It is not a violation to email patient names but the name and other PHI should not be included in the subject lines of an email. The reason behind this is that if the name will be included in the subject lines, it could be easily viewed by unauthorized individuals. Other reason is that while email messages are protected with encryption in transit, to and from field are often not encrypted which could lead to a data breach.


Clarifying the HIPAA Retention Requirements

HIPAA retention requirements are very simple. In this article we will discuss what records needs to be protected and for how long.

The first thing to remember is that there is no HIPAA medical records retention period. It is not clearly stated for how long medical records must be retained under Privacy rule. Each state has their own requirement regarding the retention of medical records in its laws. It is the duty of covered entities and business associates to known the laws of the state regarding the retention period of medical records.

Eventually, the retention periods are different from each type of record and who actually owns them. Below we have mentioned the medical records retention policies of some states:-

Florida:- In Florida, Physicians should maintain the medical records for at least 5 years and hospitals should maintain medical records for 7 years.

Nevada:- In Nevada, health care organizations must protect the medical records for at least 5 years. Medical records for minor should be kept until the patient reaches 23 years of age.

North Carolina:- In North Carolina, it is mandatory for hospitals to keep the medical records for 11 years from the date of the patient’s discharge. The law in North Carolina also states that Medical records for minor should be kept until the patient reaches 30 years of age.

Although HIPAA does not lay down any retention requirement for medical records, but there is a retention period requirement for other HIPAA-related data. CFR §164.316(b)(2)(i) specify that covered entities or business associates must retain the documents for at least 6 years from when the document was created, or from when it was last in effect.

Below we have mentioned few examples of most typical list of documents subject to the HIPAA retention requirements. A Covered Entity or Business Associate may or may not be required to have or retain copies of them depending on its nature of business:

  1. Permissions for the Disclosure of PHI.
  2. Business Associate Agreements
  3. Disaster Recovery and Contingency Plans
  4. Details of Information Security and Privacy Policies.
  5. Incident and Breach Notification Documentation
  6. Information on Complaint and Resolution.
  7. IT Security System Reviews (including new procedures or technologies implemented)
  8. Details of Access to and Updating of PHI.( Logs Recording Access to and Updating of PHI)
  9. Physical Security Maintenance Records
  10. Audits of IT Security Systems