Asset 19
HIPAA Compliant Emails
Current events have shown us that in-person visits to the doctor’s aren’t always a viable option. The COVID-19 outbreak presented many challenges for healthcare systems all over the world. Email remains among the top communication channels for many industries, especially healthcare. Email is convenient for healthcare professionals (HCPs) to communicate internally and externally, especially when faced with communication challenges with patients, or to pass along information.

Essential things to know about HIPAA and email security

Email presents an instant and sensible solution for providers and patients, as most people already use it. Email offers opportunities for medical practices to provide the following services:
  • Patient consultations
  • Exchange medical data with patients, colleagues, and labs
  • Follow-up on medication
  • Manage patient’s chronic conditions
  • Submit referrals
  • Confirm insurance eligibility and payments

How to send HIPAA-compliant emails

The Health Insurance Portability and Accountability Act (HIPAA) promotes standards for the safety of sensitive medical data such as protected health information (PHI) when used to improve patient care and other healthcare services. The first step in sending HIPAA-compliant emails requires covered entities to sign an agreement with the email service provider (business associate) they plan to use for healthcare delivery, clinical, and front desk functions involving ePHI.

 Signing a Business Associate Agreement (BAA) with your email provider

HIPAA rules and regulations require you to enter into a BAA with an email service provider if you intend to use the email service to send ePHI. The agreement outlines their responsibilities and ensures that they can provide mechanisms required to protect sensitive health information. These mechanisms include:
  • Technical safeguards
  • Administrative safeguards
  • Physical safeguards
It’s important to note that a BAA isn’t optional. If the email provider doesn’t want to sign the agreement with your practice, that means they’re unable to fulfill the HIPAA requirements. It would be a good idea to consult a lawyer specializing in medical law before you can start sending out emails containing ePHI. That is apart from needing an information technology (IT) expert to configure the emails correctly. Even after you find a HIPAA-compliant email service provider and sign an agreement with them, the necessary work before you can start using emails to send PHI isn’t over. There are still multiple areas to address:
  1. Ensure end-to-end encryption
  2. Figure out how to retain emails
  3. Obtain patient consent
  4. Create strict policies and train your staff

End-To-End Encryption for HIPAA-Compliant Emails

When it comes to the HIPAA Security Rule, medical data encryption is of the utmost importance. The rule states that messages must be encrypted both in transit and when stored. Even if a service provider can encrypt the emails you send in transit, you must also have access controls in place that guarantee only the intended recipient and the sender have access to the emails containing PHI. Some service providers allow you to encrypt the emails you send but not by default. In these cases, you must either:
  • Manually select to have the email encrypted before sending it
  • Enable the option to encrypt all emails, if such an option exists, to eliminate human error from the equation
The type of encryption is something to consider as well. As technology advances, new encryption standards become available. It’s best to consult the National Institute of Standards and Technology (NIST) to inquire about the latest recommended email encryption standards to remain in compliance.

Email Retention

Although HIPAA rules don’t specifically address email retention, they require healthcare providers to have a backup archive to separately store, access, and recover data in an emergency. That means you have to find a different solution, apart from the HIPAA-compliant email service provider, that enables you to store PHI shared via email. Storing all email communication, including attachments, such as health records and visit summaries, takes a lot of storage space. Depending on the location of your practice, state laws may also require you to store the emails for a certain period, so it’s highly advisable to consult a lawyer before you send out a single email that contains PHI. With a comprehensive, fully HIPAA-compliant solution, you don’t have to stress about figuring out how to store large amounts of data. Click-Pro can provide automatic backups which you can easily access in an emergency.

Obtain Patient Consent Before Sending Emails With ePHI

Even if your emails are entirely HIPAA compliant, you can’t start sending ePHI to patients immediately. You must first introduce them to the dangers and risks of communicating protected health information via email and obtain their explicit, written consent. Apart from all these requirements, there are two more considerations when using email to provide remote health services. Make sure to protect your email account with a strong password and two-way authentication to prevent unauthorized access. Consider including disclaimers in your emails as a means of notifying patients that the message contains ePHI, and they should view it at their discretion, rather than on a public or unsecured network. After implementing a HIPAA-compliant email service, you need to develop strict policies that clearly define how your practice should use email and for what purposes. You should adequately train your staff to send encrypted emails under HIPAA rules and regulations. Every employee should be fully aware of their responsibilities and the consequences of data breaches. The law does not tolerate human errors when sending ePHI via email, so the policies you implement must guarantee that the correct information is always sent to the right recipient using the necessary encryption methods. Non-compliance with HIPAA regulations can result in civil and criminal charges and fines or imprisonment, as well as federal and state penalties for HIPAA violations.

Is email really HIPAA compliant?

Debates regarding HIPAA compliance and email have been ongoing ever since changes to the Health Insurance Portability and Accountability Act took effect in 2013. Despite various interpretations, the HIPAA Security Rule clearly states that all forms of communication must accompany the “appropriate administrative, physical, and technical safeguards” to ensure the confidentiality and integrity of ePHI. The rule doesn’t explicitly prevent healthcare providers from using email to communicate and share ePHI, it does enforce several requirements. Healthcare providers must implement access control ID authentication and provide audit, integrity, and transmission control mechanisms to:
  1. Restrict access to ePHI
  2. Continuously monitor how they transfer ePHI
  3. Introduce message accountability and integrity of ePHI at rest
  4. Prevent unauthorized access
Contact us for a FREE audit of your email communications and information security. http://www.click-pro.com (888) 880-2536