I have just quit my job at a chiropractor’s office. My boss asked me to send him the password to my email. This email is one that I set up because it was too difficult to sort out work email from personal. I set it up and it is attached to my personal info. Is it best if I delete the account? There are emails from patients and I don’t want/need to have patient information available to me.
If HIPAA effects a chiropractor practice, you could be in trouble with this. Under the new HITECH Law, individuals can face fines and possible jail time for breaching confidentiality. How on earth did you set up your own work email that isn’t controlled and administered by your employer? And to set it up attached to your own personal email? Wow. Not smart.
Thank you. I agree. Do you suggest I delete this account?
And yes, of course HIPAA applies to chiropractic offices.
It appears I made a mistake and would appreciate any real advice.
If the account wasn’t provided by your employer, you are essentially within your rights to do whatever you like with it. I would forward any work-related e-mail to your employer and delete it.
I appreciate the advice. I have done just that.
The problem isn’t the email account, but the protected PHI it contains.
OP you say “of course” HIPAA applies to the chiropractor’s practice. That being the case, I’m surprised that they didn’t have in-place a more secure set-up. Even if it’s just a small shop, the email should have been set up and controlled by the business.
If your email isn’t encrypted, and I would bet it’s not, it is not HIPAA compliant. You opened yourself up to a huge personal liability. As I understand the laws, they can and do go after individuals. No way in hell I would use a personal email for medical purposes.
I would still appreciate any real advice. Thanks
What do you mean by real advice? You’ve been getting real advice.
If you mean legal advice, you’re probably out of luck here. We have lots of lawyers who are posters, but they don’t, as a rule, dispense official legal advice to random anonymous people on the internet.
Thanks for the clarification silophant
I’m not - small chiropractors office - especially if they are starting out or if the chiropractor is older - IT isn’t going to be a big priority.
My dentist is still using paper calendars for scheduling. Its an older practice, I don’t think its a really lucrative one, and scheduling software hasn’t been a priority - they don’t HAVE email. You call them. No web presence.
Exactly. Encryption is good practice, not a requirement.
Encryption of data either at rest or in motion is listed as Addressable in the HIPAA Privacy rule. So, no, it’s not required but a covered entity is supposed to perform a risk assessment and if it’s reasonable and appropriate to implement the protocol, they are supposed to do so or implement an alternative protocol that is equivalent and if they choose not to implement the standard then they need to have their rationale for skipping it written down in case of an OCR audit.
Since the OP is deleting the account, it won’t be her problem anymore. In any event, while it contains “emails from patients” it doesn’t necessarily contain any PHI. It might just be appointment requests and such.
I make no claims as to what the OP should or should not do.
My advice – and I don’t know anything about HIPAA requirements – is to try and make sure your (now former) boss sets up a good e-mail account for the office (not his personal e-mail), forward all work-related e-mails from the old account to the new office e-mail, set up a new personal account for yourself and forward all personal e-mails to that account. Then delete all the work e-mails from the old mixed account, and set up an auto-reply from the old mixed account, saying “This e-mail account is no longer being read. If you want to contact <Chiropracter>, please e-mail <new work account>, if you want to contact huitzilopochtli, e-mail <new personal account>.”
After six months or a year, delete the old account.
That’s my advice, anyway.
If you do that, I’d worry that patients will still email huitzilopochtli at the new personal email account. Besides, I wouldn’t want to give patients my personal email address. Personally, I’d just delete the account and new emails to it will bounce. Patients will be forced to find a new way to contact the office.