Your Guide to HIPAA-Compliant Email
Questions surrounding HIPAA-compliant email and how to email safely are pervasive. As the healthcare sector becomes more technologically savvy, both patients and medical staff are becoming comfortable with conferring over email. Patients are looking to receive their health information quickly and directly to their email inboxes, which they can then access from anywhere. There’s also a huge time-saving benefit to emailing a physician to ask about a medication prescription refill, or to email a doctor’s office to inquire about an appointment. Likewise, staff rely on email systems amongst themselves to exchange patient information or to simply communicate. There are even some insurance companies that are recognizing and covering online consultations as “telemedicine.” It’s all a part of keeping healthcare more convenient and effective for everyone.
However, as convenient as email may be, it raises a number of red flags when it comes to HIPAA-compliance. Before you engage in healthcare-focused emails from patient to healthcare clinic or vice versa, find out how to ensure your email correspondence remains HIPAA-compliant.
HIPAA-Compliant Email Requirements
HIPAA compliance for email applies to all Protected Health Information (PHI), defined as health-related information of an identifiable individual. Electronic Protected Health Information, or ePHI, is PHI that’s transmitted by electronic channels (e.g. the Internet) or maintained in any electronic medium (e.g. on your laptop). ePHI requires high security systems in order to protect electronically transmitted information internally and with third parties (e.g. your email provider). These regulations are in place to maintain HIPAA’s high privacy standards; they protect the healthcare information of all citizens while keeping confidentiality between doctor and patient.
It’s the legal responsibility of healthcare providers to ensure that their patients’ ePHI is secure. That means taking extra steps, installing strong email security, running regular audits, and so on, to prevent a confidentiality breach, whether unintentional (the accidental viewing of an email, for example) or malicious (such as a data hack).
There are two terms that HIPAA uses in regards to the standards that must be considered with respect to ePHI and email: required and addressable. Required means that complying with the given standard is mandatory. Addressable, which does not mean “optional,” means that the given standard must be implemented by the organization unless assessments and an in-depth risk analysis conclude that implementation is not reasonable and/or appropriate specific to a given business setting. There is a certain modicum of flexibility with addressable standards; however, there needs to be careful analysis and multiple checks to ensure that any technology implementation is and remains HIPAA-compliant.
The General Rules of the Security Standards govern the responsibilities surrounding the selection and implementation technology to address HIPAA. They allow companies the freedom to use whatever technological systems they may choose, so long as (a) these meet the standards for protecting ePHI and (b) a HIPAA Business Associate Agreement contract is established with the vendor if the technological system is outsourced. The standards range from organizational (the specific functions an organization must perform, including the development, documentation and implementation of policies and procedures) and administrative (personnel training and staff management), to physical security (workstations, building access, data storage) and the technical (audits, data checks, user authentication). See the HIPAA Checklist: What you need to do.
Things to Watch Out For
Anyone who’s worked with email for a while, or anything digital for that matter, knows at least something about keeping an email account secure. From not clicking on suspicious links, to deleting strange emails rather than directly replying, there are plenty of ways to keep your email safeguarded. However, extra preventative measures come into play when emailing healthcare information.
Here are a few threats to look out for when it comes to passing around ePHI:
- Eavesdropping: It may not be the most sophisticated way of obtaining information, but individuals who are “near” the path your email takes through the Internet, or who have access to the servers that it flows through, can potentially read and copy your messages. The same goes for a physical risk; be sure not to access any emails with confidential information in crowded public places where people could be “looking over your shoulder.”
- Identity theft: If your email username and password are easy to guess, you are be leaving yourself open to hackers who could access your inbox and its contents. From there, they could take over other accounts of yours at other service providers and generally impersonate your identity to the world. It’s important to change your password frequently, and ensure you’re not sharing your login information with anyone else (this includes recording it in any unprotected digital documents).
- Opt-in email encryption: This is a huge problem for healthcare providers who must be HIPAA compliant, because remembering to “opt in” to email encryption on a message-by-message basis when it is needed is too risky. If even a single message is sent without the opt-in encryption, it could lead to a breach of the HIPAA Omnibus rule and a penalty of $50,000.
Now that you have a sense of what it means for email to be HIPAA-compliant, it’s time to put that knowledge to the test. Having a high level of email security and solid encryption standards are only half the battle; it’s up to healthcare providers to be vigilant about what’s digitally traveling in and out of email accounts. It’s also the responsibility of companies and hospitals to ensure that the General Rules of the Security Standards are upheld, including educating staff, running regular audits on software, and keeping up with security checks on computer terminals and in buildings.
For an extra level of protection, consider what third-party experts and auditors can do to help your company become and remain HIPAA-compliant. LuxSci provides the leading software in HIPAA-compliant email, guaranteeing the privacy of all ePHI sent within your organization, as well as to patients and other appropriate outside recipients. We provide HIPAA-compliant communications services that can fill all of your technology needs from email hosting and marketing, to web hosting and web forms, to secure texting and chat and video conferencing.
HIPAA-compliant email requires a large amount of extra security and some training; however, the technology is affordable and easy to obtain making it easy to prevent information leaks and to keep malicious behavior out. You don’t want to risk breaching HIPAA for legal reasons, and for the confidentiality of your patients. It only takes one black mark to reduce trust in your healthcare company, so be sure to continue with checks, audits, and staff training so that all your HIPAA-practices remain up-to-date.
Find out more. Read our eBook: HIPAA-compliant email basics.