HIPAA Compliant Email: Myths Debunked

hipaa compliant emailHIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Essentially, this bill helped standardize information procurement and delivery about patients in the new age of electronic communication. It does a lot more than that, but considering the scope of this article is on HIPAA email compliance – this is the aspect of the bill we will focus on. In the course Understanding and Complying with HIPAA you will be trained on HITECH, the 2003 addition to HIPAA and the more recent Omnibus added in 2013.

Electronic standardization in the 90’s meant that personal information about patients being sent to insurance companies for billing was at risk of being intercepted by an unauthorized party. This also means that information about a patient being sent to a patient is at risk if not prepared correctly. More about Data Security in this course. Standard email transmissions and other methods of electronic communication weren’t secure then and they sure aren’t secure now. So what can we do to ensure that we are being HIPAA compliant and not risking a security breech when sending patient data to authorized viewers? First, know the details of HIPAA inside and out. Well, at least this part of HIPAA. And keep reading, I’ll debunk some commonly circulated myths about sending emails while staying within the HIPAA framework.

Myth: All email service providers have secure servers.

This is a big fat: false. Free service providers like Gmail, AOL, and Yahoo are not secure email services and every bit of correspondence that needs to be HIPAA compliant must be encrypted. This includes any attachments to the email, images or documents. There are recommendations at the bottom of this article for some HIPAA compliant, third-party email service providers. These providers often offer encryption services as well.

Myth: It’s necessary to encrypt any and all emails.

Not necessarily. If you are sending emails from one co-worker to another on a secure server – you don’t have to encrypt the email. We are assuming here that the secure server is secure enough that it cannot be penetrated by an outside source. Even though it’s not required by HIPAA to encrypt interagency communication, it may not be a bad habit to get in to when regarding confidential information.

Myth: Even with patient acknowledgement and authorization, you have to encrypt or secure the server.

False. If the patient waives their right to privately receiving their information you have every right to send it however they request. This means you can use free email service providers, fax, Skype, text, or what have you. However, keep records of this approval. Make sure you save any correspondence that indicates the patient is okay with their information being sent unencrypted. That way if any issues arise later you can prove your actions were legitimate.                     

Myth: Organizations that make you register to send HIPAA compliant emails are the best way to communicate data.

They do their job, but at your expense. You don’t always have to pay fees to encrypt emails or to protect the integrity of patient data. If you use desktop email clients like Microsoft Outlook there is an option under Security Settings that allows you to encrypt the email. Plus, the emails are being stored on your local drive and not out in the ether of cyberspace. Enable IMAP (Internet Message Access Protocol) over SSL to ensure your emails are safe. You can then choose to delete emails from the server every time they are sent so that there is no chance of interception. Learn how to secure your server and prevent intruders from gaining access to your confidential data in this Wireless Hacking and Security course.

You may be familiar with HTTPS sites (Hypertext Transfer Protocol Secure) that use a secure “tunnel” that the email or other information is sent through. This is not necessarily “secure”. It just means that the email is secure on the email service connection but the minute it enters cyberspace it’s a free-for-all. Another thing to consider is setting up a VPN (Virtual Private Network) that is often used in businesses who are communicating confidential data. I worked in the sales department of a travel agency and we used a VPN desktop phone to ensure privacy. Learn more about VPN in Anonymous Web Browsing.

If you choose to use a third-party agency to encrypt emails and protect your data, here are a few HIPAA compliant recommendations:

Myth: Scanned documents and other electronic data sources are exempt from the HIPAA compliance laws.

Actually, anything that is being stored electronically should be encrypted. Nowadays when you scan a document or image, you can send it directly to an email. You can do the same with faxes, and telephone correspondence is often transcribed to email. Skype, under the Omnibus rule is also included. Save yourself the trouble and encrypt everything. It may feel like overdoing it at the time, but after you read the next myth you’ll be glad you’re doing it.

Myth: You don’t have to worry about encrypting information stored on any electronic device.

Yes, you do. In fact, there is a laundry list of agencies who have had devices stolen and servers hacked which resulted in them losing very confidential information about all of their patients. HIPAA doesn’t require that you encrypt every device and piece of data being stored electronically – but it would be stupid not to. Better safe than sorry, right? Penalties are enormous. Don’t get caught up dishing out hundreds of thousands of dollars because of an oversight or simply not knowing. Not only is it devastating for the patients; your reputation is on the line and there’s a lot of clean-up to do.

In addition to sending HIPAA compliant emails, HIPAA required healthcare professionals to comply with a more broad set of regulations that seem to be expanding each year. Stay up-to-date on what is expected of you and you’re co-workers to keep your office out of trouble. Take the course Understanding HIPAA for the Medical Office as a refresher.