Best Practices for HIPAA Compliant Email Communication

Today’s technologies have made physician-patient communication easier than ever before. Email communication is a reliable way for healthcare providers to connect with their patients, colleagues, and other offices. When using email to transmit protected health information (PHI), organizations need protect against breaches. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects patient rights and privacy. While physicians prefer use secure online file storage with strong encryption to exchange PHI with their medical transcription service organization, ensuring HIPAA compliance is essential when sending PHI via email.

HIPAA compliance refers to the regulations that healthcare organizations must have in place within their business in order to safeguard the privacy, security, and integrity of PHI. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) such as email service providers and medical transcription service companies must comply with Rules’ requirements to protect the privacy and security of health information.

Importance of HIPAA-compliant Email for Physicians

When it comes to email, security should be a top consideration since this form of electronic communication is especially vulnerable to cyber attacks. Physicians who use email communication to send PHI externally need to encrypt it to be HIPAA compliant. An unencrypted email can be intercepted in transit or while it is at rest and read. Not encrypting email that contains PHI puts both patients’ privacy and the organization at risk of HIPAA violations. According to Steve Alder editor-in-chief of HIPAA Journal, measures to eliminate these risks and ensure HIPAA compliant email include (but are not limited) to the following:

• Encrypting email
• Having a business associate agreement in place with the email service provider
• Implementing access controls on email accounts
• Setting up procedures for backing up, retaining, or archiving emails containing ePHI, staff training, and
• Documenting patient consent

Let’s take a closer look at the best practices for email communication in healthcare.

Best Practices to Make Email HIPAA Compliant

The following measures can make your email HIPAA compliant and protect email phishing attacks:

• End-to-end email encryption: In end-to-end email encryption, a set of keys is used to encrypt the email before it is sent and to decrypt the message when it is received and stored. So, the encrypted data can be read only by those with decryption keys – the intended recipient and the sender. This prevents unintended users from viewing or modifying data. AES 128, 192, or 256-bit encryption is the currently recommended standard for data security. Organizations should implement the safety measures best suited to their needs. Small medical practices that do not have in-house IT staff to implement HIPAA-compliant email can rely on a third-party HIPAA compliant email service provider.

• Sign a business associate agreement with the email provider: Before using third-party service provider for end-to-end email encryption, physicians should have them sign a business associate agreement. The agreement should cover all the important points: how the company encrypts email, where the encryption keys are kept (onsite, offsite, or another server, etc) who has access to the encryption keys, how the company keeps the keys safe and handles physical security, and so on. In other words, the agreement should clearly define the email service provider’s responsibilities and the administrative, physical, and technical safeguards they will use to ensure the confidentiality, integrity and availability of electronic PHI. Don’t partner with a company that is not prepared to sign a business associate agreement.

• Configure email correctly: Simply using an email service that is covered by a business associate agreement is not sufficient to make email HIPAA compliant. Email should be configured and set up correctly. Gmail helps users set up a HIPAA compliant email account using G Suite, provided the service is used alongside a business domain. Note that Google signs a business associate agreement only with paid users upon the request of a systems administrator. Subscribers must ensure that the service is configured to ensure end-to-end encryption.

• Train staff on using email to exchange PHI: Practices should train staff on sending HIPAA compliant email and avoiding data breaches. They should strictly implement policies on email use to ensure that the right information is always sent to the right recipient using the necessary encryption methods. Every employee should be fully aware of their responsibilities and about avoiding errors such as sending PHI via unencrypted email or to individuals who are not authorized to view the information. Organizations should ensure that their email account has a strong password and two-way authentication to check unauthorized access.

• Email retention: Retaining emails will allow providers to access and recover data in an emergency or during a compliance audit. While HIPAA rules don’t specifically mention email retention, they require covered entities to store documentation related to their compliance efforts for 6 years. Covered entities should maintain a backup email archive or ensure that emails are backed up and stored. Organizations should check if the laws of the state where they are located require emails to be stored for a fixed period of time.

• Obtain patient consent: Organizations should obtain patient consent before they start using email to send PHI. Even if the email provider is HIPAA compliant, patients must be informed that there are risks to the confidentiality of information sent via their email service. Patients should also be told about the risks involved if they view email containing PHI on a public or unsecured network. Patient consent should be documented once they understand and accept the risks, and after this is done, healthcare providers can send emails containing PHI without violating HIPAA rules.

HIPAA compliant email communication is necessary when communicating externally beyond the organization’s firewall and may not be needed for emails sent internally. As HIPAA compliance and the approach to it is evolving, healthcare providers need to stay updated on the rules and regulations. They must prepare their workforce to identify threats and follow best practices to ensure HIPAA compliant email communication. When it comes to EHR documentation, choosing HIPAA compliant medical transcription services is essential to ensure the confidentiality of PHI.