Answer Generic name in front of domain name for an employee email

Messages
6
Location
Southaven, Mississippi
Best answers
0
My CFO thinks that using a generic name in front of our secure domain for an employee email is a HIPAA violation . I told him i have not found that information anywhere . I also told him only time it would be HIPAA violation is if and when ePHI was used by an employee or third party that was not suppose to have access to that patient info. Our marketing team was wanting an email set up as info@....... to communicate with patients and referring physicians. I also told him that any third party would need to sign a BAA and they would need to make sure any emails sent outside of our domain were secure emails , as well as authorization from the patient to use their information via email in patients chart . Can anyone tell me if i am right or give me a link to go to showing that the email setup for employees (marketing ) cannot be a generic name in front of the domain name ? i did read you should be more specific so the person reading the email knows who it is from , but do not see that it is NOT to be done with a generic name .
Thanks in advance
Angie Short
 

SharonCollachi

True Blue
Messages
683
Location
Clovis, CA
Best answers
3
I'm confused as to what your CFO thinks the actual HIPAA violation would consist of. Does he think it's a violation of the Marketing portion? There is nothing in the law about what an email address has to be. You don't have to use your own name when sending email. It can be OfficeManager@Whatever.com. HIPAA, for the most part, tells you what you need to do, not HOW you need to do it. From the Department of Health and Human Services:

Marketing
45 CFR 164.501, 164.508(a)(3)
Background
The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. So as not to interfere with core health care functions, the Rule distinguishes marketing communications from those communications about goods and services that are essential for quality health care.

How the Rule Works
The Privacy Rule addresses the use and disclosure of protected health information for marketing purposes by:
  • Defining what is “marketing” under the Rule;
  • Excepting from that definition certain treatment or health care operations activities;
  • Requiring individual authorization for all uses or disclosures of protected health information for marketing purposes with limited exceptions.
What is “Marketing”?
The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.” This definition of marketing has certain exceptions, as discussed below. Examples of “marketing” communications requiring prior authorization are:
  • A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.
  • A communication from a health insurer promoting a home and casualty insurance product offered by the same company.
What Else is “Marketing”?
Marketing also means: “An arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.” This part of the definition to marketing has no exceptions. The individual must authorize these marketing communications before they can occur. Simply put, a covered entity may not sell protected health information to a business associate or any other third party for that party’s own purposes. Moreover, covered entities may not sell lists of patients or enrollees to third parties without obtaining authorization from each person on the list. For example, it is “marketing” when:
  • A health plan sells a list of its members to a company that sells blood glucose monitors, which intends to send the plan’s members brochures on the benefits of purchasing and using the monitors.
  • A drug manufacturer receives a list of patients from a covered health care provider and provides remuneration, then uses that list to send discount coupons for a new anti-depressant medication directly to the patients.
What is NOT “Marketing”?
The Privacy Rule carves out exceptions to the definition of marketing under the following three categories:
(1) A communication is not “marketing” if it is made to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about:
  • The entities participating in a health care provider network or health plan network; < Replacement of, or enhancements to, a health plan; and
  • Health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.
This exception to the marketing definition permits communications by a covered entity about its own products or services. For example, under this exception, it is not “marketing” when:
  • A hospital uses its patient list to announce the arrival of a new specialty group (e.g., orthopedic) or the acquisition of new equipment (e.g., x-ray machine or magnetic resonance image machine) through a general mailing or publication.
  • A health plan sends a mailing to subscribers approaching Medicare eligible age with materials describing its Medicare supplemental plan and an application form.
(2) A communication is not “marketing” if it is made for treatment of the individual. For example, under this exception, it is not “marketing” when:
  • A pharmacy or other health care provider mails prescription refill reminders to patients, or contracts with a mail house to do so.
  • A primary care physician refers an individual to a specialist for a follow-up test or provides free samples of a prescription drug to a patient.
(3) A communication is not “marketing” if it is made for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual. For example, under this exception, it is not “marketing” when:
  • An endocrinologist shares a patient’s medical record with several behavior management programs to determine which program best suits the ongoing needs of the individual patient.
  • A hospital social worker shares medical record information with various nursing homes in the course of recommending that the patient be transferred from a hospital bed to a nursing home.
For any of the three exceptions to the definition of marketing, the activity must otherwise be permissible under the Privacy Rule, and a covered entity may use a business associate to make the communication. As with any disclosure to a business associate, the covered entity must obtain the business associate’s agreement to use the protected health information only for the communication activities of the covered entity.

Marketing Authorizations and When Authorizations are NOT Necessary.
Except as discussed below, any communication that meets the definition of marketing is not permitted, unless the covered entity obtains an individual’s authorization. To determine what constitutes an acceptable “authorization,” see 45 CFR 164.508. If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved. See 45 CFR 164.508(a)(3). A communication does not require an authorization, even if it is marketing, if it is in the form of a face-to-face communication made by a covered entity to an individual; or a promotional gift of nominal value provided by the covered entity. For example, no prior authorization is necessary when:
  • A hospital provides a free package of formula and other baby products to new mothers as they leave the maternity ward.
  • An insurance agent sells a health insurance policy in person to a customer and proceeds to also market a casualty and life insurance policy as well.
 
Messages
6
Location
Southaven, Mississippi
Best answers
0
Thank you so much for this detailed information . The information above is basically what i told him, i also sent him some reading material stating the same thing. This is alot more detailed i really appreciate you adding this . I think he was confused also , but he was determined it was a violation . i just recently recieved my CPCO so this is very new to me !!
Have a great day :)
 

thomas7331

True Blue
Messages
2,657
Best answers
7
Just a word of caution here - keep in mind that HIPAA laws fall into two categories: privacy rules and security rules. The types of HIPAA violations you've mentioned here pertain to privacy rules, but digital communications must also conform to security standards under the HIPAA laws, and an email system could be in violation even if there was no privacy breach. Your CFO may be referring to the security rules involved in setting up particular kinds of domains for communication of PHI. This is something of a subspecialty of compliance that is usually handled by an IT department since it requires a knowledge of digital communication technologies.

I recommend you involve someone with a knowledge of this technical side of the business as it's somewhat outside the scope of the issues involved coding and billing compliance. For something as critical as this, it's best to get a specialist involved hands-on and not rely on forum answers or internet searches to make your decisions.
 
Last edited:

SharonCollachi

True Blue
Messages
683
Location
Clovis, CA
Best answers
3
Just a word of caution here - keep in mind that HIPAA laws fall into two categories: privacy rules and security rules. The types of HIPAA violations you've mentioned here pertain to privacy rules, but digital communications must also conform to security standards under the HIPAA laws, and an email system could be in violation even if there was no privacy breach. Your CFO may be referring to the security rules involved in setting up particular kinds of domains for communication of PHI. This is something of a sub specialty of compliance that is usually handled by an IT department since it requires a knowledge of digital communication technologies.

I recommend you involve someone with a knowledge of this technical side of the business as it's somewhat outside the scope of the issues involved coding and billing compliance. For something as critical as this, it's best to get a specialist involved hands-on and not rely on forum answers or internet searches to make your decisions.
I don't know where you got that from the original question, it was only about what name you can put on an email, zero about a domain: My CFO thinks that using a generic name in front of our secure domain for an employee email is a HIPAA violation .

And frankly, not every office needs to hire a specialist to get a HIPAA-compliant email system. A hospital system, a large group, sure, there's much more involved there.
 
Messages
6
Location
Southaven, Mississippi
Best answers
0
Just a word of caution here - keep in mind that HIPAA laws fall into two categories: privacy rules and security rules. The types of HIPAA violations you've mentioned here pertain to privacy rules, but digital communications must also conform to security standards under the HIPAA laws, and an email system could be in violation even if there was no privacy breach. Your CFO may be referring to the security rules involved in setting up particular kinds of domains for communication of PHI. This is something of a subspecialty of compliance that is usually handled by an IT department since it requires a knowledge of digital communication technologies.

I recommend you involve someone with a knowledge of this technical side of the business as it's somewhat outside the scope of the issues involved coding and billing compliance. For something as critical as this, it's best to get a specialist involved hands-on and not rely on forum answers or internet searches to make your decisions.
[/QUOT


The domain will be the company domain that is secure that our IT did set up . I was only referring to the (name) given for the email (generic) for instance marketing@.....
 
Top