These days, it would be unthinkable to operate any kind of business without email or other forms of electronic communication. And it’s a pretty standard practice among businesses of all sizes to at least be aware of security issues such as phishing, address spoofing, viruses, and spyware. For businesses that deal with protected health information (PHI) however, there is an added layer of security required.
We’re talking about the Health Insurance Portability and Accountability Act, most commonly known as HIPAA. HIPAA sets the standard for protecting sensitive data. All businesses dealing with PHI are required to make sure that physical, network, and administrative security measures are in place and kept in compliance.
Included in these considerations is handling HIPAA compliant email.
HIPAA requires that PHI is secure both when it’s being sent and when it’s not. The email must be protected by levels of unique usernames and passwords for PCs and servers, and secure encryption procedures each time the information is sent or received.
This means that it’s not recommended to use common, free internet-based email services. If you do use an internet-based email service, you must have a signed Business Associate Agreement (BAA) which confirms that administrative, physical, and technical safeguards are being maintained. The BAA will generally cover the host server responsibility, but you’re still required to protect every other part of the email or transmission chain.
Encryption, particularly for stored files, is also your responsibility. There are many options available for encrypting data on your own computers, and failure to take steps to use encryption could result in heavy fines.
How to keep email secure
What to consider when setting up secure email procedures
- Many email servers will encrypt emails from sender to recipient. If the recipient is not a client of that server, they are given the option to securely connect to the server in order to receive the email.
- Patient portals allow for secure storage of PHI and other communications. An email is sent to the recipient informing them of an incoming message. They can then log in and securely receive the message.
- When setting up your own email accounts, use strong password protections and possible 2-factor authentication.
- While email disclaimers and confidentiality statements aren’t a guaranteed protection for you, said disclaimers should clearly state that the information sent is considered PHI and should be treated as such. This is not a replacement for encryption or other security measures.
What about the patients?
HIPAA realizes that you have no control over the email clients and security patients may use. The regulation states that as long as you’re using secure email and encryption on your end, you are not responsible for what happens on the patient’s end of things. Well… there are a few conditions:
- You must have a fully secure, alternate option for patients to receive information (such as a patient portal).
- You must inform patients that their personal email clients may not be secured. If they still want the information, it’s all right to send it.
- You must document the above conditions.
Protecting different types of emails
Not all emails are sent from a provider’s office to a patient. Emails sent between doctors located in different locations, and not sharing a secured network or email server must also use encryption. Likewise, doctors who email PHI from their home computers to their work accounts must use encryption to avoid HIPAA violation. While in-office emails using the same secured email server don’t have to worry about additional encryption, remote access situations must follow encryption procedures.
Don’t become overwhelmed by the many requirements for sending a HIPAA compliant email. Consider working with a managed IT services provider experienced in HIPAA compliance and technology.