How To Make Your Email HIPAA Compliant
As a dental or medical professional, you want the ability to stay connected to your patients around the clock. Of course you want to remind a patient of an upcoming appointment or send them the latest practice newsletter. But what about really staying in touch and providing them with valuable information about their health? Whether it be sending over test results, asking patients for sensitive information, or sending treatment records, ensuring that your email system is set up to be safe, secure and HIPAA compliant is essential. In this blog we will outline 9 things you need to be doing to ensure your emails are HIPAA compliant.
Do you know what to look for in a managed IT service provider?
Download our checklist to learn if you’re making the best choice for your practice.
What is HIPAA Compliant Email?
As a medical or dental professional, you have access to your patients’ personally identifiable information (PII). Examples of sensitive PII elements include, but are not limited to:
Social Security number
Driver's license or other identification
Citizenship, legal status, gender, race/ethnicity
Home and personal cell telephone numbers
You also have access to their protected health information (PHI). PHI is any information in the patient record, including but not limited to medical conditions, medications, radiographic images, and lab test results. HIPAA compliant email allows you to communicate electronically with your patients and with other healthcare professionals about patients in a secure and protected (and legal) manner. HIPAA compliant email ensures that an email with PHI is delivered securely to the recipient’s inbox.
How Do I Know if I Am HIPAA Compliant?
To be HIPAA compliant, you must abide by the Privacy and Security Rules. The U.S. Department of Health and Human Services states that the Privacy Rule “requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.” The companion Security Rule “requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
Any outside vendors your practice does business with are required to sign a Business Associate Agreement with you. Under HIPAA, a business associate agreement is a contract between a HIPAA-covered entity, such as a healthcare provider, and a HIPAA business associate. The business associate agreement outlines the responsibilities of the service provider and establishes that administrative, physical, and technical safeguards will be used to ensure the confidentiality, integrity and availability of PHI.
All clinical and administrative personnel handling protected health information must comply with the Privacy and Security Rules. As a health professional, you are required to protect patients’ PII and PHI within your physical office and when you or your employees are on the telephone. The same HIPAA standards apply to electronic communication.
Why HIPAA Compliant Email?
Why does electronic communication require special handling? Consider the path an email takes once you hit “send”: it begins at your workstation, goes to your network server, and may pass through several other computers on the internet before reaching the recipient’s server and then workstation. At each link in this chain, email is vulnerable to interception by individuals with malicious intent. In addition, every machine the email passes through saves a copy of the message. If any of the computers along the journey are infected with a virus or malware, the sensitive information in your email may be compromised. Encryption is the only way to protect electronic data from outside threats.
So, when should you consider adding HIPAA compliant email? When you plan on sending emails containing private information, you need HIPAA compliant email. Any time an outgoing email containing PII or PHI goes beyond your network's firewall, it must be encrypted. This would include most external correspondence to patients or to other doctors regarding patients.
9 Steps to Ensure Your Email is HIPAA Compliant
1. Ensure you have a HIPAA compliant email provider
Unless you have an amazing internal IT employee who is an expert in information systems, odds are you will need to consult a third-party HIPAA compliant email provider. There are many email vendors that offer encrypted email, but not all are HIPAA compliant. Thoroughly research potential email providers to ensure that they offer everything you need to have HIPAA compliant email. Things to look for:
Willingness to sign a business associate agreement
Good customer service team
They offer solutions which can encrypt every email (even non-PHI emails)
Their encryption integrates seamlessly on all devices (desktop, mobile, etc.)
Your Managed Services IT Provider is a good resource to consult when choosing a HIPAA compliant email provider.
2. Ensure your email has end-to-end encryption for emails with PHI or PII
End-to-end encryption encrypts both messages in transit and “at rest” or stored messages. Your encrypted email should have user access controls such as passwords to ensure that the intended recipient and the sender can retrieve the messages. Reduce human error by choosing a provider that encrypts all emails.
3. Enter into a HIPAA-compliant Business Associate Agreement with your email provider
Say no to a company that will not sign a BAA. Some common reasons these companies will not sign:
“Our lawyers say we don’t need one.”
“We never open your emails, so we’re not a Business Associate.”
“None of our thousands of customers have ever asked us to do that.”
“We’re a ‘conduit’, not a business associate.”
These are all nonsense. As stated before, HIPAA requires you to have a BAA in place with every outside vendor you deal with. Walk away if they won’t sign.
4. Develop policies around the proper use of email and educate staff
Training staff is extremely important in all areas, but particularly with regard to HIPAA standards. There have been several major data breaches that have occurred as a result of errors made by healthcare staff.
5. Make sure all emails are retained for 6 years
Research to determine what storage time frame is required in your state. Keep in mind that even for small practices, storing emails and attachments for six years can require a large amount of space. You might want to consider using a secure, encrypted email archiving service to store your emails off-site rather than using in-house email back ups.
6. Get written consent from patients before communicating with them via email
While email is a convenient way to communicate with patients, HIPAA rules require that you obtain written consent from patients in order to send their PHI electronically.
7. Ensure you have a HIPAA compliant email provider
Research potential email providers to ensure that they offer everything you need for your email to be HIPAA compliant.
8. Make sure your email is configured correctly
Simply using an email service that is covered by a BAA does not make your email HIPAA compliant. Do your research and talk to your email company about your setup options.
9. Have a privacy statement at the end of all emails
A privacy statement should automatically be appended to the end of every outgoing email. It should remind recipients that email is inherently insecure and should state that the email is privileged and confidential. Provided contact information should any issues arise.
Keeping in touch with your patients via email is convenient and inexpensive. Just make sure that your email follows HIPAA compliant security standards. Specializing in IT for medical and dental practices, Integrity Systems & Solutions is available to help you find and implement the right technology solutions for your practice.