Email has become one of the most widely used forms of communications worldwide. Its ease of use and ability to send large files has allowed it to be integrated into nearly every type of business. In fact, in some sectors, it has replaced the fax machine. However, due to its ease of use, email also presents challenges for the small practice. HIPAA regulations have very specific guidelines on using email when handling protected health information (PHI). This is often one of the areas that go unnoticed in practices and can cause very damaging HIPAA infractions. Email is acceptable for sending PHI as long as the practice is using HIPAA compliant email. Read on to find out what you need to do to ensure your practice isn’t unknowingly running afoul of HIPAA rules.
What is HIPAA compliant email?
The HIPAA Security Rule has very specific guidelines for how email can be used and be compliant.
” The Security Rule does not expressly prohibit the use of email for sending ePHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to ePHI.”
What this means that it is perfectly acceptable to send an email containing PHI as long as the data is secured. You must also assure that only the intended recipient can read the contents.
Lastly, whichever service you choose to use, you must have a Business Associate Agreement in place with this company to achieve compliance.
Digging a little deeper…
Many people think of email like a letter making its way through the postal system. However, email is more like a postcard. It offers no privacy or protection as it goes through the internet. An email message will make many stops as it goes from the sender to the receiver. At each of these stops, it can be copied and stored. This means that the owners of those servers can read any email message that passes through their servers.
This is why encryption is so important. Encryption makes the email unreadable to anyone other than the sender and the receiver. This protects the content of the email. It surrounds your postcard with an armored layer that cannot be opened without the password.
Ok, now for the bad news. No free email service, Hotmail, Yahoo Mail, Gmail, etc is considered HIPAA compliant. These services often offer a for-fee version that is HIPAA compliant, but their free versions are in no way compliant. Microsoft Office 365 also offers a HIPAA compliant email service. You can find out more about GSuite here.
There is another way to make your current product become HIPAA compliant email. It is to use a third-party product that will encrypt the email content and send it to the receiver. The receiver will then decrypt the message. If you use a third-party product like Paubox, then you can use any email service you like, even the free services like Gmail.
Real like example
Recently we had a new client that was a billing service. When we performed their initial risk assessment, we found that they were sending a great deal of PHI to their clients. This included EOBs, face sheets, payment records, and others. We asked them about this and their response was what we normally hear in these situations: “We are using Gmail so we are secure”.
It’s not that the billing service was maliciously doing this or knowingly violating HIPAA. It was simply that they didn’t know better and weren’t aware of what HIPAA compliant email needed to be. They assumed that Google was a huge company and that using their Gmail product was secure.
After we showed them the regulations and how Gmail was in fact, not HIPAA compliant, you could see the horror come over their faces. They had been doing this for years and didn’t know. We helped them to get set up with a HIPAA compliant email service and trained them and their staff on how to use it. They removed all Gmail accounts from their computers and even went so far to have us block the Gmail website in their firewall.
What else do you need to do?
After you have set up HIPAA compliant email in your office, you need to train your staff. They need to be aware of the security and legal consequences for sending PHI via insecure email. Be sure that you have your employees sign off that they have received this training and then put that in your HIPAA documentation. It will prove that you did perform this training if there is ever a question in the future.
Periodically retrain your staff on email security and how to use it properly. This will ensure that you don’t have a breach from this often overlooked area in your practice.