We send and receive email every day in our personal lives.
So, it would seem natural to send emails back and forth between you and your patients.
But what if the emails contain protected health information?
How do you make email HIPAA compliant?
How you will use email with protected health information?
The first questions to ask are, “Is my email network is behind a firewall?”
Are you only emailing protected health information between you and your staff within the confines of the firewall?
If you answer yes to both questions, then you don’t need to encrypt your emails.
But, you do need access controls for email accounts so that only those individuals who are authorized have access to protected health information.
On the other hand, if you intend to use email to send protected health information externally, you are responsible for protecting the protected health information—in other words, making it HIPAA compliant. Encryption is the key to making your email HIPAA-compliant but it’s not that simple. Many email service providers that offer an encrypted email service are not HIPAA compliant because they do not incorporate all the necessary safeguards to meet the requirements of the HIPAA Privacy and Security Rules.
Here are some of the things you will want to consider to make your email is HIPAA compliant
Ensure you have end-to-end encryption for email
Just because email is a quick and easy way to communicate it doesn’t mean that it’s secure.
Even services that encrypt messages in transit may not have the required level of security to make them HIPAA compliant.
If you use a third-party email provider, you should obtain a business associate agreement before using the service to send ePHI.
HIPAA compliant email must have end-to-end encryption which means that messages in transit and those that are stored are encrypted.
Access controls must be set to allow only the intended recipient and the sender to access the messages.
HIPAA compliant email must have end-to-end encryption which means that messages in transit and those that are stored are encrypted. Access controls must be set to allow only the intended recipient and the sender to access the messages. Click To Tweet
Some email service providers allow individual emails to be encrypted by clicking a button or using a portal.
It’s easy to forget to turn on the encryption feature and you or your staff may accidentally send an unencrypted email.
Also, do you really want to rely on the person sending the email to determine whether the information contains electronic protected health information (ePHI) and turn on the encryption?
You can reduce the potential for human error by choosing to encrypt all emails, not just those that contain ePHI.
The type of encryption used is also important and seems to be ever-changing.
You’ll want to use the most updated, secure encryption.
You can reduce the potential for human error by choosing to encrypt all emails, not just those that contain ePHI. Click To Tweet
Depending on the stage your practice is at, you may not have the in-house IT staff to make sure your email is HIPAA compliant.
Not to worry, a quick google search will give you multiple third-party HIPAA compliant email service providers.
As with all the software solutions that are meant to help physicians be compliant, you’ll want to evaluate how well each option integrates with your EMR/Practice Management software.
Enter into a HIPAA-compliant business associate agreement with your email provider
If you use a third-party email provider, you should obtain a business associate agreement before using the service to send ePHI.
A business associate agreement establishes that the business associate will use administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
If you ask an email service provider to enter into a business associate agreement and they are unwilling or unable then you need to find another email service provider. Make sure that your email is configured correctly.
If you use a third-party email provider, you should obtain a business associate agreement before using the service to send ePHI.
Having a business associate agreement doesn’t mean that your email is HIPAA compliant.
Make sure that your email is set up correctly so that you don’t violate HIPAA Rules and end up with a hefty fine.
Here’s an example of how easy it is to be confused–Google’s G Suite includes email and is covered by its business associate agreement.
Email can be HIPAA compliant through G Suite if the service is used alongside a business domain and that you configure it to have end-to-end encryption is in place.
Email can be HIPAA compliant through G Suite if the service is used alongside a business domain and that you configure it to have end-to-end encryption is in place. Click To Tweet
But here’s the catch– G Suite is not the same as Gmail. Gmail is not intended for business use and there is no way to make it HIPAA compliant.
And, by the way, Google doesn’t sign a BAA for its free services, only for its paid services—which in and of itself should serve as a clue.
The most important step—Develop policies on the use of email and train your staff
The most important step is to train your staff on the correct use of ePHI.
There have been numerous data breaches that have occurred where ePHI was accidentally sent via unencrypted email or the ePHI was sent to individuals unauthorized to view the information.
Training your staff about their responsibilities under HIPAA and the use of the email service should be a core part of your HIPAA training.
Emails containing PHI need to be retained
Email retention is not specifically mentioned in the HIPAA legislation.
However, because individuals can demand information on disclosures of PHI, and email communications may have to be provided when legal action is taken, covered entities should maintain an email archive or at least ensure emails are backed up and stored.
HIPAA requires covered entities to store documentation related to their compliance efforts for 6 years.
Storing six years of emails, including attachments, requires considerable storage space.
One option is to use a secure, encrypted email archiving service rather than email backups.
HIPAA requires covered entities to store documentation related to their compliance efforts for 6 years.
Archiving email frees up storage space and is indexed so searching for emails is quick and easy.
You will also be subject to HIPAA Rules and need to enter a Business Associate Agreement.
Obtain consent from patients before communicating with them by email
Even if you are using a HIPAA compliant email provider you must still obtain consent in writing to use email as a form of communication before any ePHI is sent via email.
Patients must be advised that there are risks to the confidentiality of information sent via email.
If they are prepared to accept the risks, emails containing ePHI can be sent without violating HIPAA Rules.
HIPAA email compliance should be included in your compliance plan.
You don’t want something we all do every day—send and receive emails to get you into HIPAA trouble.
If you are unsure of the requirements of HIPAA compliant speak with a healthcare attorney that specializes in HIPAA to advise you of your responsibilities and the requirements of HIPAA with respect to email.