Below are answers to commonly asked questions about Business Associate Agreements and emailing patient information.
Business Associate Agreements
No. The HIPAA privacy regulations create a minimum standard for the protection of health
information nation-wide. The regulations allow for the possibility that state law is more
protective of a patient’s privacy or provides a patient greater access to protected health
information. In these instances, state law may actually govern the use or disclosure of health information, not the HIPAA regulations. Thus, it is important for business associates to understand that use or disclosure of protected health information on behalf of UW Medicine must conform to both state and federal requirements.
Maybe. This is ultimately a business decision and your leadership should make this determination. Expanding the reporting period may impact UW Medicine’s ability to respond quickly in the case of a breach. The maximum time UW Medicine generally accepts is twenty days.
Maybe. UW Medicine must consider state law requirements and you should consult with UW Medicine Compliance to discuss the operational implications. Upon request for amendment of a medical record, state law provides that a health care provider must correct or amend the records within ten calendars days of receiving the request (RCW 70.02.100). If unusual circumstances exist, state law provides for a maximum of twenty-one days to respond. The HIPAA privacy regulations, in contrast, allow a health care provider sixty days to respond. This provision tends to be an area in which considerable energy in negotiation is expended. The most important question to address is whether the business associate holds medical records that would be subject of the amendment request and whether they will be impacted by a short deadline.
Yes, the Business Associate Agreement may include any/all UW Medicine entities. The Business Associate Agreement must have signature lines for each entity included, be signed by an authorized person from each entity, and be maintained in accordance with entity-specific records retention rules.
No, the Business Associate must make PHI available in accordance with HIPAA and state laws governing access of individuals to PHI.
Yes, but the Business Associate must enter into a contract that meets the requirements of a business associate agreement or other arrangement with the subcontractor(s) to ensure that the same restrictions and conditions, including the implementation of reasonable and appropriate safeguards to protect the information that apply to the Business Associate, also apply to the subcontractor.
Yes, if an entity maintains PHI on behalf of the University of Washington or UW Medicine, it is a business associate even if the entity does not actually view the PHI.
When the Business Associate is a governmental entity, UW Medicine may enter a Memorandum of Understanding to document the Business Associate’s privacy, security, and electronic exchanges assurances. The Memorandum of Understanding must contain the required elements of a Business Associate Agreement.
If violation(s) of the Business Associate Agreement is suspected or discovered, the department manager or other individual initiating a contract is required to report the violation to UW Medicine Compliance and request investigation.
Emailing Patient Information
Yes. UW Medicine Compliance policies allow workforce members to communicate electronically with their patients provided they apply reasonable safeguards such as:
- Double checking the recipient email address to avoid unintentional disclosure; and
- Limiting the amount or type of protected health information
Patients have a right to request communication preferences such as text message or email and, when reasonable, workforce members should accommodate such requests. Workforce members may consider using Microsoft Outlook’s Encryption feature in the email’s Options tab when emailing protected health information. If this is not possible then the patient should be warned about the risks of unencrypted email or text messages, which is described here: https://www.uwmedicine.org/about/policies-and-notices/email-risk.
Yes, so long as the following requirements are met:
- The email is encrypted:
- The email is sent within UW Medicine (to other @uw.edu or @Valleymed.org email addresses)
- The email is sent to one of our affiliates included on the UW Medicine Information Security Approved Domain List (for example, @fhcrc.org, @med.va.gov, @psbc.org, @seattlecca.org, or @seattlechildrens.org,); or
- The email is manually encrypted using email options; and
- The email contains the minimum amount of patient information necessary to meet the recipient’s needs.
Yes, the IT personnel that support your department or clinical entity can assist you.
Yes, the following language should be included under your signature on any email sent to a patient:
“The above email may contain patient identifiable or confidential information. Because email is not secure, please be aware of associated risks of email transmission. If you are a patient, emailing a UW Medicine provider implies your agreement to email communication. For more information, see https://www.uwmedicine.org/about/policies-and-notices/email-risk.
The information is intended for the individual named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender by reply email, and then destroy all copies of the message and any attachments. See our Notice of Privacy Practices at http://www.uwmedicine.org/about/privacy.”
Appointment Reminders and Other Types of Messages
Patient Privacy laws allow health care entities to communicate with patients regarding their health care at their homes or other preferred locations. This includes leaving verbal messages for patients electronically (e.g. voice mail) or with individuals who may answer the phone (e.g. the patient’s family member). However, to reasonably safeguard the patient’s privacy, workforce members must take care to minimize the amount of PHI disclosed when leaving appointment reminders or other types of messages for patients. Outlined below are the best practices to use in these situations:
- When directed to voice messaging, provide your name, number, the UW Medicine entity from which you are calling and other information which is minimally necessary to confirm an appointment or request a return phone call.
- When you reach someone other than the patient at the patient’s contact number, use professional judgment to determine the minimum necessary information to disclose and ensure that the disclosure is in the best interest of the patient.
If you have any questions, contact us.