Many Smart Training clients send Protected Health Information via email but are unsure how to make their email HIPAA compliant. To add to the challenge, many email service providers offer an encrypted email service, but not all are HIPAA compliant – and few actually incorporate the necessary safeguards to meet HIPAA requirements. Even services that encrypt messages in transit may not have the required level of security to make them HIPAA compliant.
Research potential HIPAA-compliant email service providers to ensure that they provide a service that is suitable for your requirements. A search on Google will produce several potential service providers. Enter into a HIPAA-compliant business associate agreement with your email provider.
Ensure that your provider offers end-to-end encryption, which encrypts both messages in transit as well as stored messages. Access controls are used to ensure only the intended recipient and the sender can access the messages.
If you use a third-party email provider, obtain a Business Associate Agreement prior to using the service for sending ePHI. The BAA should outline the responsibilities of the service provider and must establish that administrative, physical, and technical safeguards will be used to ensure the confidentiality, integrity, and availability of ePHI. If your email service provider is not prepared to enter into a business associate agreement, look elsewhere. Be aware that several providers, like Google, will not enter into BAAs for ‘free’ services.
Even when a BAA is obtained, it is possible to violate HIPAA. Simply using an email service that is covered by a BAA does not make your email HIPAA compliant. Once you have implemented a compliant email service, train your staff on the correct use of the service. Data breaches often occur as a result of errors made by healthcare staff, including the accidental sending of ePHI via unencrypted email and the sending of ePHI to individuals who are not authorized to view the information. Every staff member should be aware of their responsibilities under prevailing patient privacy laws.
HIPAA requires both Covered Entities and Business Associates to retain past email communications containing ePHI. The retention period is 6 years. For any healthcare organization, no matter the size of the practice, storing 6 years of emails and attachments requires considerable storage space. Consider using a secure, encrypted email archiving service, rather than email backups.
An email archiving service will free up needed hard drive storage space and save time as well. Since an email archive is indexed, searching for emails is a quick and easy process. If emails must be produced for legal purposes or for a compliance audit, they can be quickly and easily retrieved.
Any provider of an email archiving service will also be a Business Associate and therefore subject to HIPAA Rules. A Business Associate Agreement will be required between your office and the archive service provider. The BAA should incorporate reasonable assurances that the service will train their staff on patient privacy and abide by HIPAA requirements concerning the information they store for your office.
From time to time, you may find it convenient to send emails containing ePHI to patients. Remember, however, that consent to use email as a communication method typically must be obtained from the patient in writing before any ePHI is sent via email, even if a HIPAA compliant email provider is used. Patients must be advised that there are risks to the confidentiality of information sent via email. If they are prepared to accept the risks, emails containing ePHI can be sent without violating HIPAA Rules. Up-to-date Notices of Privacy Policies should offer this information to patients, and signed acknowledgments of receipt should be in the patient’s chart before an email is sent.
If you are unsure of the requirements of HIPAA with respect to email, we recommend that you contact our Certified HIPAA Professionals. As with most issues regarding patient privacy, a little information can go a long way toward staving off disaster.
For more HIPAA compliance news and information, check out Smart Training's blog site.