Organizations that deal with protected health information need to keep the requirements of the HIPAA and HITECH acts in mind. If your organization qualifies as a covered entity, you need to follow the Privacy and Security rules to secure protected health information (PHI).
Negligence can lead to data breaches and huge fines.
Email poses special problems under HIPAA as one of the most popular and wide-reaching forms of internet communication. Nearly everyone has an email address. The trouble is that many email platforms are not designed for security, and using them while keeping HIPAA compliance is hard. Using it for health-related communication requires strict policies.
Requirements for HIPAA Compliance
HIPAA rules apply to organizations designated as covered entities, including health care providers, health plans, and health care clearinghouses. Business associates handling PHI for covered entities also need to enter a contract to follow those rules.
The Privacy Rule limits how covered entities and business associates can disclose PHI. The Security Rule requires protection of patient information against unauthorized access and tampering. This means that adequate security is an essential for protecting privacy. The rules don’t explicitly require encryption, but it’s a crucial step for protecting confidential data.
Information sent to a patient has to go through a channel which is reasonably safe from interception and unauthorized viewing. A secure website that is properly maintained and requires authentication can satisfy HIPAA requirements, as well as telephone calls, messaging with a secure service, and paper letters, as long as the provider reaches the right person.
Email is more problematic. The people who designed email protocols didn’t have to deal with a network that every spy and thief had access to. Simply put, email wasn’t designed for security. A message can go through multiple servers, over unprotected cables, and through the air on the way to its destination. Today, about 90% of email services use the TLS protocol, which encrypts messages all the way to the recipient’s inbox. The problem lies with the other 10% of services.
If an email message contains test results, diagnoses, health assessments, or other PHI, it’s HIPAA compliant only if it’s encrypted from end to end. Since the sender doesn’t control the recipient’s end of the connection, it’s hard to guarantee this.
The Privacy Rule permits health-related email communication in certain cases. The requirements under the Security Rule are less clear. That rule “allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”
This leaves a lot of room for interpretation. How much information can you send, and what qualifies as adequate protection?
It’s best to be conservative in these regards. Use email for PHI only if you have the patient’s written permission, make sure to use the right address, and keep the amount of information sent to a minimum. For more specific guidelines, seek professional legal advice.
How to Make Email HIPAA Compliant
Email is secure only if it’s encrypted all the way to the recipient. There are several ways of doing this, but it’s important when communicating with patients to not place too much work on them. Requiring them to install special software or use a particular service will cause a lot of resistance.
One better approach is to use email only for notifying them that information is available. To get the information, the patient logs into an account on a secure server. It’s not as convenient as sending the information directly, but it’s a system that anyone with an email account and a browser can use.
Another technique that is gaining popularity is setting up cooperation among email servers to ensure that the whole route supports TLS encryption. If a message has to go to a server that doesn’t support it, then the encrypted message is replaced by a plain text one asking the recipient to log in to a server. It isn’t enough for a service to claim to do this; for HIPAA compliance, it has to accept a Business Associate agreement.
Free email services, such as Gmail, don’t guarantee HIPAA compliance. While messages from one Gmail address to another are encrypted, ones that go outside its boundaries may not be secure. If you want to use email for anything more sensitive than making and confirming appointments, work with a service that commits in writing to compliance.
Make Your Choices Wisely
Getting the right email for communication of PHI isn’t easy. Don’t assume that a service is HIPAA compliant just because it has a good reputation for general use. Whatever solution you use, you need to understand how to use it properly. You have to protect your accounts and make sure the addresses you use are correct and current. We can help you to get all the points right so that your email is truly compliant.
Get in touch with us for a consultation.