You buy a HIPAA compliant web hosting infrastructure. You configure your web site to send out email messages in the simplest way, e.g. through PHP mail, or some other generic and standard mechanism. You think you are all set — but you are not.
HIPAA compliant web hosting services provide a server infrastructure that allows you to be compliant; however, it doesn’t make you compliant. Your web designers must make choices and program your site so that it properly respects ePHI. If they do not do all the appropriate things, you will be out of compliance. E.g. see: 7 steps to make your web site HIPAA-secure.
In particular, email messages sent in the “normal way” from a web site will go out insecurely in a way that will violate the HIPAA Security Rule if they contain ePHI of any kind. E.g. they will not be encrypted and will not be archived.
Read the rest of this post »