How to send a HIPAA compliant email

These days, it would be unthinkable to operate any kind of business without email or other forms of electronic communication. And it’s a pretty standard practice among businesses of all sizes to at least be aware of security issues such as phishing, address spoofing, viruses, and spyware. For businesses that deal with protected health information (PHI) however, there is an added layer of security required.

We’re talking about the Health Insurance Portability and Accountability Act, most commonly known as HIPAA. HIPAA sets the standard for protecting sensitive data. All businesses dealing with PHI are required to make sure that physical, network, and administrative security measures are in place and kept in compliance.

Included in these considerations is handling HIPAA compliant email.

What’s involved?

HIPAA requires that PHI is secure both when it’s being sent and when it’s not. The email must be protected by levels of unique usernames and passwords for PCs and servers, and secure encryption procedures each time the information is sent or received.

This means that it’s not recommended to use common, free internet-based email services. If you do use an internet-based email service, you must have a signed Business Associate Agreement (BAA) which confirms that administrative, physical, and technical safeguards are being maintained. The BAA will generally cover the host server responsibility, but you’re still required to protect every other part of the email or transmission chain.

Encryption, particularly for stored files, is also your responsibility. There are many options available for encrypting data on your own computers, and failure to take steps to use encryption could result in heavy fines.

How to keep email secure

What to consider when setting up secure email procedures

  • Many email servers will encrypt emails from sender to recipient. If the recipient is not a client of that server, they are given the option to securely connect to the server in order to receive the email.
  • Patient portals allow for secure storage of PHI and other communications. An email is sent to the recipient informing them of an incoming message. They can then log in and securely receive the message.
  • When setting up your own email accounts, use strong password protections and possible 2-factor authentication.
  • While email disclaimers and confidentiality statements aren’t a guaranteed protection for you, said disclaimers should clearly state that the information sent is considered PHI and should be treated as such. This is not a replacement for encryption or other security measures.

What about the patients?

HIPAA realizes that you have no control over the email clients and security patients may use. The regulation states that as long as you’re using secure email and encryption on your end, you are not responsible for what happens on the patient’s end of things. Well… there are a few conditions:

  • You must have a fully secure, alternate option for patients to receive information (such as a patient portal).
  • You must inform patients that their personal email clients may not be secured. If they still want the information, it’s all right to send it.
  • You must document the above conditions.

Protecting different types of emails

Not all emails are sent from a provider’s office to a patient. Emails sent between doctors located in different locations, and not sharing a secured network or email server must also use encryption. Likewise, doctors who email PHI from their home computers to their work accounts must use encryption to avoid HIPAA violation. While in-office emails using the same secured email server don’t have to worry about additional encryption, remote access situations must follow encryption procedures.

In conclusion

Don’t become overwhelmed by the many requirements for sending a HIPAA compliant email. Consider working with a managed IT services provider experienced in HIPAA compliance and technology.

HIPAA Security Rule: Your guide to physical safeguards

More than 1 million patients and health plan members had confidential information exposed in the first quarter of 2018 — twice the number of people impacted by data breaches in the fourth quarter of 2017. As cybercrime becomes a bigger concern in the healthcare sector, more medical professionals are cranking up their security credentials in order to safeguard valuable patient data.

HIPAA physical safeguards are a series of security standards that help you protect valuable information in your healthcare organization.

“Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion,” says the Department of Health and Human Services.

Here’s everything you need to know about HIPAA physical safeguards.

1. Improve facility access controls

HIPAA lays down four facility access control specifications that improve physical security in your medical organization.

Contingency operations

You need to have a proper contingency plan in the event of a natural disaster or emergency. This will help you protect patient information and prevent data loss. Storing your data in the cloud instead of on a hard drive, for example, is one way to improve security. The result? In the event of an emergency, you will still be able to access confidential data from another device.

Facility security plan

You also need to ensure that you have physical access controls in place. This prevents unauthorized persons from accessing sensitive data and lets you control which members of staff view certain information. The latest physical access controls — smart lock systems, fingerprint sensors, swipe cards, etc. — will safeguard all the data you keep in your medical organization.

Validation procedures

Assigning different roles and functions to members of staff is another way you can protect information from ending up in the wrong place. Proper validation procedures will ensure the right people access the right information at the right time.

Maintenance records

HIPAA physical safeguards state that you must keep records of any external services you use. You will also need to keep notes about any physical modifications you make to your medical organization, such as replacing doors and locks.

2. Optimize device and media controls

As a healthcare provider, you will need to create a series of security procedures that safeguard the devices you use in your organization — desktops, laptops, smartphones, memory cards, hard drives, etc. HIPAA specifies that you dispose of unwanted devices in a safe and secure way and erase data you no longer need. You will also need to erase protected health information (PHI) from your devices if you want to re-use them.

You should also invest in a data recovery strategy, where you will be able to access healthcare information if your systems go down or malfunction.

3. Monitor workstation use

Negligent employees are the number one cause of cybersecurity breaches, according to a recent study. That’s why it’s so important to monitor staff who use IT infrastructure to collect and access PHI.

HIPAA physical safeguards stipulate that you limit workstation use to authorized users and implement security procedures to protect confidential patient information. If you don’t, you could expose sensitive data to the wrong people.

Final thoughts

If you run a medical organization, adhering to HIPAA physical safeguards is imperative. Failing to take the proper safety precautions could result in expensive fines from the government and jeopardize patient trust. Follow the tips above in order to stay HIPAA compliant.

Want to keep reading about the Security Rule? Check out the following articles:

HIPAA Security Rule: Your Guide to Administrative Safeguards

3 steps to HIPAA security rule compliance for your business

HIPAA security rule: Your guide to technical safeguards

HIPAA security rule: Your guide to technical safeguards

Healthcare data breaches are becoming increasingly common. There were more than 477 incidents in 2017 — up from 450 in 2016. If you run a medical organization, incorporating a comprehensive data security policy into your business is imperative. Otherwise, you could expose confidential patient data to cybercriminals and receive expensive fines from the government.

HIPAA technical safeguards are a series of security standards that protect patient data. But what are they? And how can they protect your patients? Read on to find out.

1. Improve your access control requirements

HIPAA technical safeguards state that you should incorporate access control requirements into your data security policy. This way, you can find out who is accessing your health data and from where — and understand the ramifications if the wrong person obtains sensitive patient information.

The HIPAA access control technical safeguard standard has four implementation specifications:

  • Unique user identification: Users who have access to patient data should have a unique name or tracking number.
  • Emergency access procedure: You need to implement rules for users who access patient data in an emergency.
  • Automatic logoff: You should activate an automatic logoff on your computer systems after a period of inactivity.
  • Encryption and decryption: You should encrypt and decrypt confidential patient data where necessary.

“For compliance with this technical safeguard standard, a covered entity is required to implement technical policies and procedures for electronic information systems that maintain electronic protected health information, allowing access only to those persons or software programs that have been granted access rights,” says HIPAA.

2. Improve the integrity of patient information

This HIPAA technical safeguard preserves the integrity of patient information. In short, you will need to protect data from “improper alteration or destruction.”

“A covered entity must ensure that its electronic protected health information, as well as other critical electronic business information, has not been altered or destroyed without its knowledge and approval,” says HIPAA.

You can do this by implementing access controls and storing data in a secure virtual space. Alternatively, a managed service provider can customize a security solution that improves threat management and network monitoring in your healthcare organization. Click here to find out more.

Related Content: HIPAA compliance in the cloud? 3 things you need to know.

3. Enhance secure data transmission

The HIPAA transmission security technical safeguard standard protects patient information over electronic communication networks.

“In simplest terms, a covered entity must safeguard its electronic networks to ensure the availability and integrity of its electronic protected health information,” notes HIPAA.

Just like the access control technical safeguard, you need to prevent unauthorized access to the health data stored on your computer systems. You can do this with an effective password management system.

Related Content: 3 healthcare technologies that will revolutionize the patient experience

4. Verify the people who use your computer systems

This HIPAA technical safeguard specifies that you verify a person or entity who has access to health information on your computer systems. Using the latest software can help you achieve this. Some programs have multiple levels of security to check a user’s credentials before they access sensitive data.

“This standard requires more than just password management and includes maintaining audit trails so that the covered entity can authenticate who or what entity is creating, reading, altering, destroying, or transmitting electronic protected health information,” says HIPAA.

Are you HIPAA compliant? If you’re not, you could face expensive fines and lose the trust of your patients. Follow the four tips on this list and adhere to HIPAA’s series of technical safeguards.

Want to keep reading? Check out the following articles:

HIPAA Security Rule: Your Guide to Administrative Safeguards

3 steps to HIPAA security rule compliance for your business

HIPAA Security Rule: Your Guide to Administrative Safeguards

A healthcare data breach could have massive ramifications for your medical organization and result in expensive fines from the government. That’s why it’s crucial you adhere to HIPAA administrative safeguards — a set of security standards that protect your patients’ health information.

Healthcare data breaches have impacted 26 percent of consumers in the United States, according to research. Administrative safeguards, however, reduce the risk of unauthorized persons accessing valuable patient information. Here are three things you need to keep in mind.

1. Improve your data security

HIPAA has laid down a number of administrative safeguards for security management — procedures that improve the safety of your IT networks and systems. Taking the following precautions will improve the security of the data you collect and store in your medical organization.

  • Use anti-virus software to safeguard your IT systems. These programs minimize the risk of hackers stealing valuable patient information. Make sure your software is up to date and you download and install the latest security updates and patches.
  • Train your staff to use your IT systems properly. Human error makes up 52 percent of all security breaches, according to one study. Proper training will reduce the number of mistakes your employees make when collecting and storing data.
  • Update legacy programs with the latest software. Some software developers no longer create security patches for old programs, and hackers could exploit these security vulnerabilities.

2. Have a contingency plan — just in case

HIPAA recommends that you have a contingency plan in the event of a data breach. This will reduce the amount of downtime you experience if hackers access your IT systems and steal patient information. It’s a good idea to keep your data in the cloud. You will be able to obtain information from another location in an emergency.

“Your business data is your most valuable asset. If it was stolen or destroyed, would your business be able to quickly get up and running again or even carry on at all?” says The Balance Small Business. “Data protection is one of many advantages of switching your business to cloud computing.”

3. Enhance your identity management processes

Make sure the right people access your data at the right time. Otherwise, you could jeopardize confidential patient information. TechTarget describes identity and access management as “the framework for business processes that facilitates the management of electronic or digital identities.” In other words, you need to monitor employees who use your IT systems and networks. Why is this so important? One study suggests that insider threats make up 75 percent of all data security incidents.

Enhancing your identity management processes is easier than it sounds. You can set up password controls for staff who use your systems and track your employees with identity management software.

“Policies that limit access, combined with employee education, are also important,” says Security Intelligence. “Maybe once more organizations get a sense of how insider threats hit the bottom line, they’ll invest more in preventing these security incidents from happening.”

HIPAA takes healthcare security seriously, and you should too. Improving your data security, devising a contingency plan and enhancing your identity management processes will protect sensitive patient information and reduce the risk of a data security breach.

Want to keep reading? Check out 3 healthcare technologies that will revolutionize the patient experience.