If you send bulk emails for marketing purposes, appointment reminders or any other business transactions, it’s easy to get complacent and think that there is no way that you could be violating HIPAA. Unfortunately, HIPAA laws are incredibly complex and there are a number of unexpected violations that you can make without even realizing it. Given just how costly and damaging HIPAA penalties can be, your organization can’t afford the risks.
HIPAA laws are designed to protect the privacy of individuals and they often play out in ways that aren’t immediately intuitive. They are further complicated because the lines between compliance and non-compliance aren’t always clear. Given the costs of a violation, it’s important that every healthcare provider and business associate errs on the safe side.
How Can Bulk Emails Violate HIPAA?
There are a variety of common situations where healthcare providers can unwittingly leak their patients’ information in a way that violates HIPAA. The following are just a couple of scenarios that are not just compliance issues, but would also have serious ramifications for those who were affected:
Is a Harmless Newsletter Really Harmless?
Let’s say your healthcare organization wants to send out a newsletter to a certain subset of its patients. Surely something so innocent wouldn’t need to be encrypted, right? Unfortunately, this isn’t always the case.
If your company were to email some helpful resources on depression, you might not see any need to send it to all of your patients. You may decide that it’s best to only send it to those who have previously sought out treatment for mental health issues. After all, what can be wrong with sending information to those who are most likely to find it useful?
Such a simple situation could easily have far-reaching consequences. The email connects the patient to the health condition, and it could give away far more information than the patient would be comfortable with. The targeted nature of the email insinuates that the patient has a mental illness, one which is a personal struggle that still carries a strong stigma in our society.
If this information was sent in an insecure manner, it could be accessed by other people, which could take a dramatic toll on the patient’s life. If the patient were a high-powered CEO and the information leaked, it could be personally difficult and also cause stock prices to plummet. A celebrity could see themselves as the center of a scandal, another famous person being hounded by the paparazzi in the grips of a mental breakdown.
Even normal people can face a range of negative consequences, such as if a patient’s spouse finds out that they were receiving treatment without their knowledge, or if a business partner discovers the information and decides not to move forward on the next project.
If your organization had sent out an email like this with the best intentions, it could still be culpable. These intentions don’t matter to the patient, especially if they have gone through a tough ordeal because of the email. In the eyes of HIPAA, the intentions don’t matter either. A violation is a violation.
An Appointment Reminder Can’t Hurt, Can It?
Let’s say a young woman from an extremely conservative background schedules an appointment with an OB-GYN. Under the laws of our society, she should have every right to see whichever kind of medical professional she needs. Her family and community may not see things the same way.
If the message weren’t sent in a secure way, it’s easy to imagine how the details of her appointment could be intercepted by those around her who disapprove. Perhaps they wouldn’t let her go. Maybe she would be shunned by her community or even worse.
No matter what the result, it is clear that there are some vulnerable people who have a strong need to have even their most subtle information protected. Sure, many of us may not care if such an appointment was made public, but that’s not the point. HIPAA laws are for everyone and need to be able to protect the most vulnerable as well.
What Do HIPAA Laws Actually Say?
The situations mentioned above are focused on the potential human cost of sending health information in an insecure manner. They demonstrate that HIPAA regulations aren’t just the result of a frustrating bureaucracy. Instead, they are important for protecting people.
Now that we’ve gotten that out of the way, we’ll look at the specifics of what the regulations say. This will help you to understand what does and does not constitute a violation, as well as the gray area that lies in between.
When it comes to bulk emailing, the main concern is over electronic Protected Health Information (ePHI). This information needs to be guarded by adequate security measures whenever it is acquired, processed, sent or stored.
In essence, ePHI is any electronic information that is individually identifiable and that pertains to someone’s physical or mental health, their healthcare and treatments, or any payment-related information. It doesn’t matter whether this data is from the past, present or future. As far as HIPAA laws are concerned, it’s all ePHI.
When HIPAA laws refer to “individually identifiable” information, there’s a long list of 18 separate identifiers, including a patient’s name, address, relevant dates, phone number, email address and much more. The final identifier is “any other characteristic that could uniquely identify the individual”, so pretty much anything that can be connected with a patient counts as individually identifiable information.
Of course, any email address that someone gives to their health provider is clearly an identifier. This means that any organization that processes HIPAA data needs to be extremely careful when sending unencrypted emails, making sure that they don’t include anything that could be related to the patient’s health.
Under HIPAA’s Privacy Rule, healthcare providers are allowed to use unencrypted email to communicate with their patients, but only when they take reasonable safeguards and limit the information that is disclosed. These communications should be in accordance with the HIPAA Security Rule, which can be viewed in the Regulation Text (p62).
According to the HIPAA Omnibus Final Rule (p70) the only situation where a healthcare provider can send a patient unencrypted ePHI is if the individual has been informed of the risk, but still chooses to have their information sent in an unencrypted manner. Healthcare providers will want to have this consent in writing so that they can maintain a permanent record as proof.
The HIPAA Privacy Rule also states that individuals must give written consent before their ePHI can be used for marketing. This means that messages about appointments or other transactional emails don’t typically need additional authorization, but messages which promote products or services which aren’t related to the patient’s core healthcare require consent.
What does all of this tell us? That a wide variety of information can be considered ePHI, and that there are many situations where it can be inadvertently sent. The penalties are enormous and can be incredibly damaging for the organization that is responsible, even if the violation was accidental.
What Are the Penalties for a HIPAA Breach?
It depends on just how negligent a healthcare provider’s actions have been. They can range from between $100 and $50,000 per violation or per record that has been violated. That’s right, in cases where the violation has been especially negligent, an organization may have to pay $50,000 for each non-compliant email that was sent.
Secure Bulk Email: The Solution that Protects Your Organization & Your Patients
As you can see, it’s easy to slip up and inadvertently face severe HIPAA penalties. From sending marketing materials to test results or even appointment reminders, there are so many pitfalls where you could be violating HIPAA.
LuxSci’s High Volume Email Sending Service can help to remove this burden from your organization, by giving you a wide variety of security options. In both of the scenarios at the start of this article, our bulk email service could have protected the individuals from having their ePHI exposed, as well as the companies involved from suffering the harsh HIPAA penalties that could follow.
You may think that the majority of your bulk email doesn’t need to be encrypted, and you may even be right. But it’s those few exceptional circumstances which can see your business fall on the wrong side of HIPAA regulations. Our bulk email service helps to prevent this by allowing you to implement the security that is best for both your organization and your patients.
Alternative bulk email providers simply don’t offer the security that is necessary for dealing with information that is as sensitive as ePHI. Organizations that use a service which isn’t HIPAA-compliant may be inadvertently violating the regulations.
You may think that you can get around the need for encryption by simply asking your patients for consent. Sure, it’s possible in some cases, but it still requires a lot of administration. Your organization would need to ask for and obtain consent, then keep permanent records. This can be a complex process where there are numerous opportunities for things to go wrong.
The Benefits of LuxSci’s High Volume Email Sending Service
The standout feature of LuxSci’s bulk email service is that it offers HIPAA-compliance for large-scale sending. No other company offers a comparable service, which makes LuxSci the go-to option for organizations that take their HIPAA obligations seriously.
On top of this, we offer a flexible setup that allows your business to send its emails in a manner that suits both your needs and those of your patients. Our TLS Exclusive gives you the option to send emails to only those recipients whose email system supports TLS. This can be a great option for marketing campaigns, especially if you don’t want your non-TLS recipients to be forced to click through to a secure Escrow Portal.
As an alternative, our Escrow service allows anyone to access secure email messages, without any complicated steps or security compromises. With our bulk email service, you can configure your messages dynamically, without the need to adjust your settings for every message.
Another key feature of LuxSci’s service is its scalability. As your email needs grow, we can support you along the way, with the capacity for up to hundreds of millions of emails each month. Our dedicated infrastructure installations offer high availability and disaster recovery, giving your organization everything it needs for enterprise-level bulk emailing.
This makes our High Volume Email Service an excellent solution for your business. Not only can it be used to bring your current bulk email practices in-line with HIPAA regulations, but it can form a key part of your marketing campaigns, helping to grow your business well into the future.