How to email patient forms and stay HIPAA compliant.

Are you emailing your registration forms to your patients? If you are, your chances of patient data getting intercepted and viewed by a third party are high.

1 in 100 emails risk exposure to unintended third parties.

In response to the growing concerns of data interception, Congress passed HIPAA, the Health Insurance Portability and Accountability Act. With on of the main purposes is to maintain the patient’s privacy.

In general, email is NOT secure

By default, the email that your patients are using is not going to be secure. Most popular email clients like Gmail, Yahoo, and Outlook are not going to be secured and encrypted by default. When a patient receives an email from you, there is no way of ensuring that the data has not been intercepted. And if a patient emails you a completed patient form back, then they are sending all of their PHI over an unencrypted channel.

Additionally, how do you ensure that you are sending an email to the correct email address? If you send an email that contains protected health information (patient name, email address, phone number, etc) to the wrong email address, then you have just unintentionally exposed PHI to a third party.

What is encryption?

Encryption is the process of taking patient data, scrambling it into a series of characters that makes it unreadable to a potential viewer. Encrypted data can only be decrypted with a key. The receiving party of the encrypted data must use the key to decrypt the data and make it readable again.

The most secure way to encrypt PHI in transit and at rest, is to send and receive patient data using a HIPAA compliant online form.

HIPAA Compliant Online Forms

Not just any online form is secure. Most online forms are not encrypted, and even fewer are HIPAA compliant. If you are planning on collecting PHI over email, you need to make sure that the form your patients are entering in all of their sensitive information in, has all of the physical, technical, and administrative safeguards in place. You should also have a business associate agreement in place with any form providers that are handling your patient data.

Emailing Your Online Form

Once you have a HIPAA compliant online form, you still need to send the form to your patient. When emailing patients, you want to ensure that you have as little patient information in the email as possible. Completely strip the email title from all PHI, as these email titles are very difficult to safeguard and secure.

You can include the link to your online form directly in your email, if you are using a FormDr HIPAA compliant online form you can also track the progress as your patients complete your forms. Your form would have 4 statuses:

  • Not opened – this means a form was successfully emailed to your patient, but maybe the patient hasn’t had a chance to open the form link.
  • Opened – when a patient has opened your form link, but they haven’t completed and submitted the form to you online.
  • Saved Progress – this is when a patient starts filling out your online form, but they may decide to finish at a later time. You can send automated and manual email reminders for your patients to complete your form.
  • Completed – when a patient successfully signs and submits your form online. Your patient data is encrypted and secured so that you can only access the completed form.

Recap

Emailing a PDF or Word Document to a patient and asking them to print it out, fill it out, and then email it back is not secure. You are risking the exposure of your patients data by sending PHI over an unencrypted channel.

Setting up a HIPAA compliant online form is the most secure way of ensuring that your patient data is secured and encrypted.

Still asking your patients or client to fill out a PDF and send it back? Streamline and secure your new patient forms with FormDr. Setup your first form for free.