HIPPA Compliant Email
January 11, 2022
We send and receive email every day so it would seem natural to send emails to your patients. But what if the emails contain protected health information? How do you make email HIPAA compliant?
How you will use email with protected health information
The first questions to ask are, “Is my email network is behind a firewall?” Are you only emailing protected health information between you and your staff within the confines of the firewall? If you answer yes to both questions, then you don’t need to encrypt your emails. But, you do need access controls for email accounts so that only those individuals who are authorized have access to protected health information.
On the other hand, if you intend to use email to send protected health information externally, you are responsible for protecting the protected health information—in other words, making it HIPAA compliant. Encryption is the key to making your email HIPAA-compliant but it’s not that simple. Many email service providers that offer an encrypted email service are not HIPAA compliant because they do not incorporate all the necessary safeguards to meet the requirements of the HIPAA Privacy and Security Rules.
Here are some of the things you will want to consider to make your email is HIPAA compliant
- Ensure you have end-to-end encryption for email
- Enter into a HIPAA-compliant business associate agreement with your email provider
- The most important step—Develop policies on the use of email and train your staff
- Emails containing PHI need to be retained for 6 years
- Secure, encrypted email archiving saves storage space and is indexed making its easier to search
- Obtain consent from patients before communicating with them by email
HIPAA email compliance should be included in your compliance plan. You don’t want something we all do every day—send and receive emails to get you into HIPAA trouble. If you are unsure of the requirements of HIPAA compliant speak with a healthcare attorney that specializes in HIPAA to advise you of your responsibilities and the requirements of HIPAA with respect to email.
You can join me in The Private Medical Practice Academy membership to how to maximize your practice's success.
For a full searchable copy of the transcript, https://www.thepracticebuildingmd.com/podcast
If you'd like to hear more tips on how to start, run and grow your practice and related medical businesses, please sign up for my newsletterat https://www.thepracticebuildingmd.com.
Be sure to join my FB group, The Private Medical Practice Academy to be part of a community interested in starting, running and growing their private medical practices and leveraging them into multiple revenue streams.
00:00:00 Hi, it's Dr. Weitz. Thanks so much for joining me for this episode of the private medical practice academy, sending and receiving email has become the norm. Personally, I opt into anything and everything that can be sent electronically rather than have it delivered via snail mail. I love to send emails. I don't need a stamp and I don't need to go to the post office to mail it.
00:00:24 Not only that, I almost always get a much quicker response. Honestly, I don't remember life before there was email. So it seemed only natural to send information back and forth between you, your practice and your patients via email. But what if it's protected health information? How do you make email HIPAA compliant? The first step is to understand how you're intending to use email with protected health information.
00:00:54 If you will only ever send emails internally, and you may not need to really worry about making your email HIPAA compliant, how do you know? Well, the first thing you're going to want to do is ask your it folks to confirm that your email network is behind a firewall. If it is, and you and your staff are only going to be emailing protected health information between yourselves,
00:01:20 within the confines of the firewall, then you don't actually need to encrypt your emails. What you will need to do, however, is to set access controls on your email accounts. Why and what does this mean? You want to set the access controls to include only those individuals who are actually authorized to access protected health information. This is the same idea as setting up who can access what in your EMR and your practice management software.
00:01:50 Now, on the other hand, if you want to use email to send protected health information externally, that's a whole different story. You need to think about your firewall as being inside the box. Once you go outside the box, I E beyond the firewall, you're responsible for protecting the protected health information. In other words, this is when you really need to make it HIPAA compliant.
00:02:15 Encryption is the key to making your email HIPAA compliant that said many email service providers that offer an encrypted email service are not HIPAA compliant because they don't incorporate all of the necessary safeguards to meet the requirements of the HIPAA privacy and security rules. So I'm going to tell you some of the things you're going to want to consider in order to make your email HIPAA compliant and to choose the right vendor.
00:02:47 Number one, you want to ensure that you have end to end encryption for email, just because email is a quick and easy way to communicate. Doesn't mean that it's secure and even services that encrypt messages in transit may not have the required level of security to make them HIPAA compliant. Email that's HIPAA compliant must have into end encryption, which means that the messages in transit and those that are stored are encrypted.
00:03:16 It's not enough to just have it encrypted in transit access controls allow only the intended recipient and the sender to access the messages. I want to point out to you that some email service providers allow individual emails to be encrypted by clicking a button or using a portal. I'll tell you that this is a recipe for disaster. It's easy to forget to turn on the encryption feature and you or your staff may accidentally send an unencrypted email.
00:03:50 Also, do you really want to rely on the person, sending the email to determine whether the information contains protected health information and to turn on the encryption? Look, you can reduce the potential for human error by choosing to encrypt all emails, not just those that contain protected health information, like everything else. Tech, the type of encryption used is also important and seems to be ever-changing.
00:04:16 I'll give you an example. The type of encryption our email service provider was using was considered secure until it wasn't. This is something that you need to continually monitor to make sure that you're using the most secure encryption available depending on the stage or practices that you may not have an in-house it staff to make sure that your email is HIPAA compliant. Not to worry a quick Google search is going to give you multiple third party HIPAA compliant,
00:04:44 email service providers as with all software solutions that are meant to help physicians be compliant. You'll want to evaluate how well each of these options integrates with your EMR practice management software. Next, you'll need to enter into a HIPAA compliant business associate agreement with your email service provider. Before you start to send any emails, the business associate agreement outlines the responsibilities of the service provider and establishes that administrative physical and technical safeguards to ensure the confidentiality,
00:05:18 integrity, and availability of protected health information. If an email service provider is not prepared to enter into a business associate agreement, you need to look elsewhere. Even when a business associate agreement is obtained, there are still risks associated with email, and it's possible to fail, to configure the email service correctly. And then you've violated hip-hop simply using an email service that's covered by a business associate agreement does not mean that your email is HIPAA compliant.
00:05:51 I'll give you an example. Google's G suites includes email and is covered by its business associate agreement. However, in order to make G suite HIPAA compliant, you have to use it alongside a business domain. And even then you still need to make sure that it's configured for end-to-end encryption. I also want to point out to you that G suite is not the same thing as Gmail.
00:06:18 Gmail is not intended for business use and is never HIPAA compliant. Google does not sign a business associate agreement for its free services only for its paid services. So if you're using Gmail as a means of communication, this is not HIPAA compliant. Now probably the most important step is that you need to develop policies on the use of email and then train your staff.
00:06:43 Okay? So you've implemented this HIPAA compliant, email service, but that doesn't mean that your staff knows how to use it. There have been several data breaches that have occurred as a result of errors made by healthcare staff, the accidental sending of protected health information via un-encrypted email and the sending of protected health information to individuals who are not authorized to view the information are HIPAA violations.
00:07:12 It's important to ensure that all of your staff are aware of their responsibilities under HIPAA and are trained in the use of the email service. Next, you need to retain your emails. Basically email is yet another form of a medical record. The issue here is that HIPAA rules on email retention are a little unclear. Why? Because it wasn't actually specifically mentioned in the original HIPAA legislation.
00:07:41 Since individuals can demand information on disclosures of protected health information, and email communications may have to be provided when there's legal action, you need to maintain an email archive, or at least ensure that they've been backed up and stored. There are state laws that also require emails to be stored for a fixed period of time. You need to check the laws in your state to figure out how long that needs to be.
00:08:10 If you have any doubt, ask a health care attorney, the retention period for security-related emails and emails relating to changes in privacy policies should be retained for a period of six years. And HIPAA requires covered entities, meaning you to store documentation related to their compliance effort for six years. So the issue here is that it takes a significant amount of space to store six years worth of emails,
00:08:41 including attachments. One solution for dealing with the storage requirements is to consider using a secure encrypted email archiving service, rather than simply backing up your emails. Not only does this free up storage space, but because the email archive is indexed, it makes it easier to search for a specific email. So if an email is needed to be produced for legal discovery or for a compliance audit,
00:09:10 it's much easier and less time-consuming for your staff to find those emails. Now as with an email service provider, any provider of an email archiving service is also subject to HIPAA rules and they will be classed as a business associate. What does that mean again, just like with your email service provider, you would need the email archiving provider to sign a business associate agreement.
00:09:38 Now, the next thing is that you need to obtain consent from patients before communicating with them via email while it's convenient to send emails containing protected health information, consent to use email as a communication method must be obtained from the patient in writing before any protected health information is sent. Even if you have a HIPAA compliant email provider, patients must be advised that there are risks to the confidentiality of information sent via email.
00:10:12 If they're prepared to accept the risks, then email containing protected health information can be sent without violating HIPAA rules. Now, I want to point out to you that this is very important to understand because a lot of people want to put their forums on their website and then have patients send via email those forms. If a patient sends you their forms with their protected health information,
00:10:39 it's their information to disclose. However, in the ideal world, you actually have already gotten consent from that patient for communication back and forth, via email. So I would tell you that one of the things that you may want to consider is actually putting that consent form for use of email on your website, along with the other forms. So you're disclosing to that patient,
00:11:07 these risks and getting their approval before you even get started. The last thing I'm going to tell you is that HIPAA email compliance needs to be included in your compliance plan. You don't want something we all do every day, send emails and receive emails to get you in HIPAA trouble. If you're unsure of the requirements of HIPAA compliance, speak with a healthcare attorney that specializes in this so that they can advise you on your responsibilities in order to make sure that your email communications don't get you in trouble.
00:11:40 Thanks for joining me. Please be sure to sign up for my newsletter below. I'll be sending you tips on how to start a practice, grow a practice, and then add multiple services so that you can maximize your revenue.
HOW TO START YOUR OWN MEDICAL PRACTICE JJJJJJJ
Are you overwhelmed at the thought of starting your own private practice? This cheat sheet will give you a roadmap with step-by-step instructions to get your practice up and running.
USE YOUR PRACTICE TO WORK LESS AND GENERATE MORE MONEY
Do you want to make more money without working harder but don't know how? My guide of proven strategies to leverage your medical practice will show you how.
3 KEY STEPS TO NEGOTIATE YOUR BEST DEAL
Regardless of what you are negotiating, you want to get the best deal.
This guide will give you the tools you need to set yourself up to win the negotiation game.