Every organization that collects, shares, and uses protected health information (PHI) understands the gravity of compliance. From releasing patient information to communication, the Health Insurance Portability and Accountability Act (HIPAA) outlines the requirements for internal and external email communication. Here is what you need to be confident your team is using HIPAA compliant emails.
What Does HIPAA Say About Emails?
In 2013, HIPAA updated its guidelines on email communication. Two of the specific clauses deal with email communication—the Privacy Rule and the Security Rule. Both rules demand that PHI communications are private, secure, and confidential.
The guidance instructs entities to establish several critical controls for access, auditing, integrity, authentication, and transmission security. Formally, HIPAA requests these controls be put in place to ensure:
- Access restrictions to PHI
- Monitoring of PHI communications
- PHI integrity at rest
- Complete message accountability
- PHI protection from unauthorized entry during transit
Many organizations suggest that encryption is sufficient to meet these guidelines. It is a vital part of compliance, but it alone doesn’t guarantee the audit or authentication requirement. Also, it’s key to understand that encryption is only necessary when emails leave your firewall. However, most entities use this best practice no matter where messages are sent.
Critical Steps for HIPAA Compliant Emails
Consider the following when determining if your emails are HIPAA compliant.
When sending messages outside your organization, encryption must be part of the entire process. Encryption is necessary for emails in transit and storage.
The type of encryption matters, as well. The current standard is AES 128, 192, or 256-bit encryption. Having such a robust email exchange may not be feasible for small organizations. Seeking out a provider that can offer this level of protection is more practical. Choosing a partner that also has predefined encryption policies for PHI is another best practice.
Do you have a BAA with your email provider?
A BAA (business associate agreement) is necessary to be compliant with HIPAA, so you’ll need to have one in place with your provider. This agreement protects you if you are audited for HIPAA compliance. If a provider doesn’t mention it, you should keep looking.
Staff training and policies
Each organization should document your email policies to support HIPAA compliance. These policies will be the foundation of training and supporting staff. Your employees are crucial in compliance because they are sending emails.
Without proper and sustained training, data breaches can occur. Such an incident could cost you substantially in fines and impact your reputation. Guard against this by creating a culture of compliance.
Communicating with patients
It is acceptable to email patients relating to their health information. However, you must first obtain consent. This consent must be in writing. It’s also critical to advise them that there is still some risk related to email communication.
Selecting a HIPAA Compliant Email Provider
Ideally, your email exchange provider will offer a portfolio of communication tools. Integrating all your communications and file sharing into one HIPAA compliant environment makes things less cumbersome for you.
To find the right provider, use this checklist:
- Are they willing and able to sign a BAA and uphold their responsibilities?
- Do they use the standard in encryption methods?
- Is a compliant email archive available?
- Do they understand the healthcare industry and the uniqueness of PHI?
- Is their customer service responsive and reliable?
- Do they have a high uptime average?
- Can users access email from any device and still maintain compliance?
Intermedia Has Compliance Covered
By asking these questions, you’ll be able to find the right fit for your team. We’ve spent years helping healthcare organizations comply with and meet HIPAA standards. Learn more about our solutions today by downloading our whitepaper, How to Manage a Remote Healthcare Practice.