HIPAA Blog

[ Friday, July 22, 2016 ]

No, No, No. No, @HealthPrivacy, you cannot draft regulations via guidance. This is just plain wrong. If a covered entity has, in the course of a reasonable risk analysis, determined that emailing of unencrypted PHI is not secure, then the covered entity is not required to email unencrypted PHI to individuals exercising their access rights. The regulations do not say that, and you can't change the regulations by issuing guidance. If the covered entity has no such policy, or if it allows unencrypted emailing in other situations, if it has the policy but doesn't follow it, or if the policy is unreasonable, then the covered entity may have to email PHI to the patient. The access regulations (which carry the force of law) say that, if the covered entity maintains the PHI electronically, then it must provide the PHI in electronic format; they do not say that the covered entity must provide the PHI via electronic transmission.

Follow the rules, OCR. You can certainly change the regulations. If this is important enough for guidance, it's important enough for a regulation. Propose a new rule revising 45 CFR 164.524, publish it, request/receive/review public comments, and finalize it. That is how it works. And don't try to enforce "guidance" as if it's a law or regulation. It's not.

Jeff [10:38 AM]

Comments: Post a Comment

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template