August 25th, 2014

5 Things Everyone with HIPAA Email Should be Doing

Ok — So you have “HIPAA Compliant Email” because you just signed up with a company that says they handle that.  One thing checked off of your “to do” list and on to the next.

Well, not so fast.

HIPAA is a complex beast, as you are probably already aware.  Just signing up for a service that claims to be HIPAA compliant does not mean that you are done.  You may need to:

  1. Learn nuances of what you can and can’t do in order to remain compliant
  2. Train yourself and your staff on these nuances
  3. Make sure that you have purchased all of the things needed by your organization for your particular compliance goals
  4. Ensure that you have set things up properly with your systems and at your new vendor

Here are some of the top things that everyone who has HIPAA-compliant email really should be doing:

1. Getting that Business Associate Agreement

If you really have HIPAA-compliant services with your new vendor, then they will be willing to sign a HIPAA Business Associate Agreement with you.  Be sure that they do that and get your copy of it for your records.  This agreement is required under HIPAA, so you better have it on file.

2. Ensuring that you have Email Encryption

Just because your email is HIPAA-compliant, does not necessarily mean that email that you send to others will be secure or compliant.  Ya… surprise!

At LuxSci, all sent email in a HIPAA-compliant account will be secure no matter what … unless you take steps to opt certain email messages out of encryption.  E.g., you can’t make a mistake — you have to intentionally send insecure messages.  However, at many or most other email vendors, the opposite is the case.  For example:

  • Google Apps offers HIPAA compliance, but they do not include email encryption with the service by default.  So, unless you notice this and spend a lot of extra money for this service, all messages sent will not be compliant (e.g. only the messages sitting in your account are).  That is not very useful.
  • At most places, messages are sent insecurely / out of compliance, unless you explicitly enter some text in the subject or body to enable encryption.  If this is the case, be very careful, as it is very easy to send ePHI insecurely by accident in violation of HIPAA … and each such incident could be considered a breach.  See: Opt-in email encryption is too risky for HIPAA Omnibus.

So, in short, it is imperative that you understand when your email messages will be encrypted and when they will not, so that you can train yourself and your co-workers to do the right thing all of the time.  The fewer choices your staff have when something is to be encrypted, the less chance of an accidental breach.

3. Don’t Neglect Email Archival

Email archival keeps non-editable, non-deletable copies of all inbound and outbound email messages to/from your organization for a period or time (e.g. 10 years).  This is a good thing to have no matter what your business is.  When you get into a tangle with a customer or vendor about exactly what someone said several years ago, it’s really great if you can pull up a copy of every email ever exchanged.  If you have neglected archival, you are simply hoping that you don’t lose anything.  Also, as email in your folder can be modified and email in archives cannot, the legitimacy of copies that you have merely saved can be questioned.

Under HIPAA, archival is even more important.  One could argue that it is in fact required as its use provides many things needed for HIPAA:

  1. Emergency access to sent and received ePHI email
  2. Backups of sent and received ePHI email
  3. Records of disclosures of ePHI over email
  4. Automatic documentation of requests, complaints, and other things HIPAA-related that transpire over email

Most HIPAA email providers have the option for you to archive your email; this is not always included by default as it increases the cost of the service and it is “up to you” if you wish to incur that cost or meet your HIPAA requirements for record keeping in some other way.

4. Performing your Yearly HIPAA Security Review

Everyone that falls under HIPAA Compliance must perform yearly security reviews of their internal systems, their policies, and the flow of their ePHI into and out of their network, among other things.  Failure to perform this review takes you out of compliance.  Performing the review properly allows you to identify weaknesses in your organization, systems, or methods that you can address and resolve before they result in breaches.

For example, recently 4.5 Million patient records were stolen from Community Health Systems due to their systems being out of date in terms of security patches.  A good HIPAA Security Review would identify such things in your network so you can fix them soon (of course, being aware of and implementing security fixes for issues that arise over the year is a also a constant responsibility of your business … neglecting it will lead to trouble as it did for Community Health Systems).

If you have not done your review, do it right away.  If you do not have the expertise on staff to do it, there are many organizations out there that specialize in performing these reviews.  E.g. Security Compliance Associates.

If your internal systems are up to date and secure, your network is secure, your policies are laid out, and your staff is trained, then your HIPAA-compliant email will automatically be that much more secure, no matter what vendor you are using.

5. Training Your Staff

HIPAA Training could be one of the more neglected of the HIPAA requirements.  I’m not saying that organizations do not do it … they usually do.  Typically we see that they have had their staff watch some online video or slide show and answer a few questions and call it a day.  That does provide some benefit and awareness, true, and is important as a general first step.

However, as every organization’s technological footprint is different, the training needs to also be specific to how to do things right in the context of your organization.  E.g.

  1. Where can ePHI be located and where can it not?
  2. What are the permitted ways to communicate ePHI … to other vendors?  to patients?
  3. What activities are permitted on terminals (e.g. laptops and desktops)?
  4. How does one send an email securely (or insecurely)?
  5. What exactly is PHI with respect to your organization?  Giving a lot of specific examples helps make the context real.
  6. What is a disclosure and a breach?
  7. What does one do if there is a suspected breach?
  8. What hardware can be taken home and what can not?
  9. What things must be encrypted and who is in charge of ensuring that they are?
  10. Who do you go to for questions?

These are just some of the most obvious HIPAA training items that may have specific answers unique to your organization.  Ensuring that your staff is up to speed on how HIPAA impacts the ePHI flowing through and stored on your particular systems, is crucial to protecting that data.

Also, as you may surmise, as your systems, vendors, and policies change over time … your staff will need to be re-trained on the new systems, as well as on intervening changes in HIPAA.

A well trained staff is one of your best protections against a HIPAA breach.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.