HIPAA Compliance
As “covered entities” under the HIPAA Privacy Rule, orthodontists are required to safeguard all Protected Health Information (PHI). Under the law, PHI is defined as individually identifiable health information that relates to the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Keeping this information secure in the digital age can be quite challenging, especially with day to day communications to patients and between doctors. Fortunately, options like Google’s G Suite have made this easier while also allowing doctors to work with familiar web services like Gmail, Calendar, etc. By using Google G Suite for Business, signing the G Suite Business Associate Agreement for covered entities, and adjusting your account settings according to Google’s straight-forward HIPPA implementation guide orthodontists can very easily remain compliant with all their communications.
G Suite offers all users access to ‘Core Services’ including Gmail, Calendar, Drive, Google Hangouts (chat messaging feature only), Hangouts Meet, Keep, Google Cloud Search, Sites, and Vault for use with PHI under the G Suite BAA as long as the health care organization configures those services to be HIPAA compliant as outlined in their implementation guide.
‘Non-Core Services’ as well as the Core Services Contacts, Groups, and Google+ (subject to change) do not offer functionality where PHI is permitted. G Suite administrators can choose to turn on these remaining Core Services, but it is their responsibility to not store or manage PHI in those services. Before switching on or using third party services connected with any of the core G Suite you must verify that the integration is HIPAA compliant.
While everything will be encrypted and compliant within your organization, many doctors ask about how to handle emails containing PHI outside the practice to potentially unsecured email servers that are unencrypted. When emailing patients their information directly, just like we all do with appointment reminders, you simply ask if it is ok to do so and inform them of the possibility that they may be using an unencrypted email service.
If you are sending documents or written emails with PHI to other doctors to coordinate and communicate about patient care, you will need to utilize Google Drive to make sure that all PHI remains on your secure servers (some practice management softwares and paid services offer this same ability as well, though I wouldn’t pay extra if you can just use G Suite). Not all doctors utilize encrypted email servers so it is better not send any PHI in the body or subject of the email and instead simply share access to a ‘Folder’ on Google Drive, where they would then have to log in to access the information securely. Do this by toggling the share settings for a folder to ‘Specific People’ and entering their email of the doctor for whom you want to provide secure access.
Belated thank you for this article!
My tech geek husband agrees with you on this and has had me on Google Suite….