fbpx
Below: Sandy Weitz, MD, teaches us what it takes to make your email HIPAA compliant so you can avoid significant HIPAA fines and penalties.

We send and receive email every day in our personal lives.

So, it would seem natural to send emails back and forth between you and your patients.

But what if the emails contain protected health information?

How do you make email HIPAA compliant?

 

How you will use email with protected health information?

The first questions to ask are, “Is my email network is behind a firewall?”

Are you only emailing protected health information between you and your staff within the confines of the firewall?

If you answer yes to both questions, then you don’t need to encrypt your emails.

But, you do need access controls for email accounts so that only those individuals who are authorized have access to protected health information.

On the other hand, if you intend to use email to send protected health information externally, you are responsible for protecting the protected health information—in other words, making it HIPAA compliant.  Encryption is the key to making your email HIPAA-compliant but it’s not that simple. Many email service providers that offer an encrypted email service are not HIPAA compliant because they do not incorporate all the necessary safeguards to meet the requirements of the HIPAA Privacy and Security Rules.

 

Here are some of the things you will want to consider to make your email is HIPAA compliant

 

Ensure you have end-to-end encryption for email

Just because email is a quick and easy way to communicate it doesn’t mean that it’s secure.

Even services that encrypt messages in transit may not have the required level of security to make them HIPAA compliant.

 

If you use a third-party email provider, you should obtain a business associate agreement before using the service to send ePHI.

 

HIPAA compliant email must have end-to-end encryption which means that messages in transit and those that are stored are encrypted.

Access controls must be set to allow only the intended recipient and the sender to access the messages.

 

HIPAA compliant email must have end-to-end encryption which means that messages in transit and those that are stored are encrypted. Access controls must be set to allow only the intended recipient and the sender to access the messages. Click To Tweet

 

Some email service providers allow individual emails to be encrypted by clicking a button or using a portal.

It’s easy to forget to turn on the encryption feature and you or your staff may accidentally send an unencrypted email.

Also, do you really want to rely on the person sending the email to determine whether the information contains electronic protected health information (ePHI) and turn on the encryption?

You can reduce the potential for human error by choosing to encrypt all emails, not just those that contain ePHI.

The type of encryption used is also important and seems to be ever-changing.

You’ll want to use the most updated, secure encryption.

 

You can reduce the potential for human error by choosing to encrypt all emails, not just those that contain ePHI. Click To Tweet

 

Depending on the stage your practice is at, you may not have the in-house IT staff to make sure your email is HIPAA compliant.

Not to worry, a quick google search will give you multiple third-party HIPAA compliant email service providers.

As with all the software solutions that are meant to help physicians be compliant, you’ll want to evaluate how well each option integrates with your EMR/Practice Management software.

 

Enter into a HIPAA-compliant business associate agreement with your email provider

If you use a third-party email provider, you should obtain a business associate agreement before using the service to send ePHI.

A business associate agreement establishes that the business associate will use administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

If you ask an email service provider to enter into a business associate agreement and they are unwilling or unable then you need to find another email service provider. Make sure that your email is configured correctly.

 

If you use a third-party email provider, you should obtain a business associate agreement before using the service to send ePHI.

 

Having a business associate agreement doesn’t mean that your email is HIPAA compliant.

Make sure that your email is set up correctly so that you don’t violate HIPAA Rules and end up with a hefty fine.

Here’s an example of how easy it is to be confused–Google’s G Suite includes email and is covered by its business associate agreement.

Email can be HIPAA compliant through G Suite if the service is used alongside a business domain and that you configure it to have end-to-end encryption is in place.

 

Email can be HIPAA compliant through G Suite if the service is used alongside a business domain and that you configure it to have end-to-end encryption is in place. Click To Tweet

 

But here’s the catch– G Suite is not the same as Gmail. Gmail is not intended for business use and there is no way to make it HIPAA compliant.

And, by the way, Google doesn’t sign a BAA for its free services, only for its paid services—which in and of itself should serve as a clue.

 

The most important step—Develop policies on the use of email and train your staff

The most important step is to train your staff on the correct use of ePHI.

There have been numerous data breaches that have occurred where ePHI was accidentally sent via unencrypted email or the ePHI was sent to individuals unauthorized to view the information.

Training your staff about their responsibilities under HIPAA and the use of the email service should be a core part of your HIPAA training.

 

Emails containing PHI need to be retained

Email retention is not specifically mentioned in the HIPAA legislation.

However, because individuals can demand information on disclosures of PHI, and email communications may have to be provided when legal action is taken, covered entities should maintain an email archive or at least ensure emails are backed up and stored.

HIPAA requires covered entities to store documentation related to their compliance efforts for 6 years.

Storing six years of emails, including attachments, requires considerable storage space.

One option is to use a secure, encrypted email archiving service rather than email backups.

 

HIPAA requires covered entities to store documentation related to their compliance efforts for 6 years.

 

Archiving email frees up storage space and is indexed so searching for emails is quick and easy.

You will also be subject to HIPAA Rules and need to enter a Business Associate Agreement.

 

Obtain consent from patients before communicating with them by email

Even if you are using a HIPAA compliant email provider you must still obtain consent in writing to use email as a form of communication before any ePHI is sent via email.

Patients must be advised that there are risks to the confidentiality of information sent via email.

If they are prepared to accept the risks, emails containing ePHI can be sent without violating HIPAA Rules.

 

 

HIPAA email compliance should be included in your compliance plan.

You don’t want something we all do every day—send and receive emails to get you into HIPAA trouble.

If you are unsure of the requirements of HIPAA compliant speak with a healthcare attorney that specializes in HIPAA to advise you of your responsibilities and the requirements of HIPAA with respect to email.

 

Tweet this out

EARN CME

This learning experience is powered by CMEfy - a platform that brings relevant CMEs to busy clinicians, at the right place and right time. Using short learning nudges, clinicians can reflect and unlock AMA PRA Category 1 Credit.

Ad from SoMeDocs.

SoMeDocs Front Page Header

Marketing physician voices uniquely!

Our Venture Amplifies Healthcare Voices.

Ad from SoMeDocs.

SoMeDocs Front Page Header

Marketing physician voices uniquely!

Our Venture Amplifies Healthcare Voices.

Sandra Weitz MD

Practice Building MD

SoMeDocs

SoMeDocs, short for Doctors on Social Media, is a physician-created & led health media company that aims to build a beautiful catalogue of verified online healthcare voices. Our goals are to teach educated professionals tools for personal success, and to showcase them to the world, and facilitate the connections needed to grow. Join us.

Music Heals

Music Heals

Candice Williams, MD, writes about her love of music, and how it is a healing force that we all need to use more often.

Negotiation series header: David Norris

Negotiate as a Physician and Win

Catch this 8-part series, hosted by physician & business consultant David Norris, MD, MBA & produced by Dana Corriel, MD. Learn to be a stronger negotiator with these important tactics.

Conversations with Shem: Season 2

Medical literature icon Samuel Shem, author of “The House of God” returns for season 2 of conversation, in order to discuss the broken healthcare system. This time, he’s brought the guests!

Doctors on Social Media Teach Podcasting Header Image

Doctors On Social Media Teach Podcasting

Today’s health experts are sharing their expertise in audio format using podcasts. Join us as we explore how we do this and bring on the innovators who are giving it their all.

Heather Signorelli, DO

Heather Signorelli, DO

Physician executive and entrepreneur on a mission to help physicians through a reliable medical billing service.

Mimi Zieman M.D.

Mimi Zieman M.D.

We all have inner voices that need to be listened to, and stories to tell. Voices speaking up for women and justice are needed now more than ever.

Edward S. Rubin, M.D.

Edward S. Rubin, M.D.

I specialize in the treatment of chronic pain of the low back and neck. At my practice I make sure to have all of my patients’ backs in their daily fight against chronic pain.

Meridith Grundei

Meridith Grundei

Perfection is highly overrated. It’s time to start getting comfortably uncomfortable and start sharing your voice with the world!

JD Gershbein

JD Gershbein

“Linkedin is like a raffle; you must be present to win.”

Ann M. Richardson, MBA

Ann M. Richardson, MBA

“The Doctor Whisperer” – Healthcare systems transformation consultant and fierce physician, care team, and patient advocate.

SoMeDocs Logo

The Healthcare Connection Hub

Disclaimer: SoMeDocs assumes no responsibility for the accuracy, claims, or content of the individual experts' profiles, contributions and courses. Details within posts cannot be verified. This site does not represent medical advice and you should always consult with your private physician before taking on anything you read online. See SoMeDocs' Terms of Use for more information.

Grow with us.

We take rolling applications for regular contributors

We had a fantastic turnout and brought a large number of physician contributors on board our 1st & 2nd rounds. If you’re interested in being considered for a future round, submit an application now and we’ll be in touch when it opens. Regularly contributing means you share your thoughts, stories, opinions, or advice on our website, and we make it pretty/circulate. It’s essentially our large effort to collectively market health experts and grow thought leaders. We also consider applications for our “Experts for Health Experts” section, depending on the pitch. Are you ready to join us? If you prefer immediate access & want to build yourself space now, consider becoming a member.

Play Video
Our Founder Answers Your BURNING Question

SoMeDocs

“Why should I become a member of SoMeDocs if I already have my own space online?”