Before You Hit Send: Ensuring HIPAA Compliant Email Transmissions From Your Practice

By Jeff Willard, AppRiver

Compliance with the Health Insurance Portability and Accountability Act — or HIPAA — often keeps doctors, dentists and other healthcare professionals up at night. Yet, since the healthcare profession requires an intense study and concentration, it’s no wonder that there is not a lot of mindshare devoted to learning the minutiae inside a dense rulebook filled with a complex set of regulations.

HIPAA requires healthcare organizations to comply with specific security, privacy and breach notification rules for the storage and transmission of protected health information (PHI) including electronic data. All healthcare professionals should have a solid knowledge of HIPAA requirements. But healthcare providers who establish their own smaller practices — especially the ones without the means to hire an administrative staff — need to understand the regulatory framework. This is particularly important when it comes to transmitting sensitive information via email.

Here are four tips to avoiding a HIPAA headache, but more importantly ensuring compliance and security risks are avoided:

1. Trigger A HIPAA Audit
   
   Many healthcare organizations are concerned about a governing body initiating an audit, however there are many ways that practices can come under scrutiny for email-related HIPAA compliance violations. For example, an audit can originate from a patient reporting an unencrypted email or, an orthodontist for the same issue.In the worst case, an email server might be hacked, revealing unencrypted patient information.
   
   Those who fail to adhere to HIPAA could face significant fines, in some cases ranging into the millions of dollars, and face jail time. Because violators also are required to report their non-compliance to those affected, as well as the media, they could also suffer reputation damage.
    
2. Check Your Email Services
   
   Email compliance requirements do not end in the doctor’s office — they extend to the practice’s technology providers as well. Healthcare organizations must ensure that the partner also complies with HIPAA standards. The provider must be diligent in the same risk analysis, administrative, physical and technical safeguards.
   
   Many medical professionals and practices use consumer-grade email services, such as Gmail or AOL for their businesses. While using these email services don’t necessarily mean the practice is out of compliance, they are designed to be cheap, easy-to-use platforms that serve a massive base of casual users — not medical professionals. Thus they often provide inadequate security and privacy measures to safeguard confidential and sensitive data.
    
3. Don’t Neglect Email Encryption
   
   Beyond just using a compliant email system, email encryption is critical — and it’s one of the most neglected aspects of HIPAA compliance. To hackers, an unencrypted email message is similar to a postcard — open for anyone to read.
   
   To remain compliant, healthcare organizations must secure the transmission of electronic protected health information via end-to-end email encryption, ensuring that data remains confidential and secure between the message sender and the intended recipient. Each email must be encrypted in a way that ensures messages with a patient’s records are secure not only from the healthcare provider’s workstation but to the next server it touches all the way to the recipient’s device. Encrypting the message from sender to receiver is the only way to guarantee compliance.
    
4. Train Your Staff
   
   While policies and technology solutions are critical to HIPAA compliance, the weakest link in compliance risk is not the email services or the office software, it’s the people interacting with patients. This liability can be reduced dramatically with effective staff training. One simple precaution is to instruct staff how to create strong passwords, and continually update them.
   
   Regardless of why a practice isn’t compliant, the fact is that unsecured email services, untrained staff, and lax security can put confidential medical data at risk. The threat landscape always is changing for HIPAA compliant electronic data transmission. Follow these guidelines and secure your email-based communications for the benefit of your patients and to reduce the risk of heavy fines.

About The Author

Jeff Willard is a Strategic Account Executive specializing in the healthcare industry for AppRiver, a global provider of cloud-based cybersecurity and HIPAA security. For more information on HIPPA-compliant email practices, download AppRiver’s free whitepaper at: http://411.appriver.com/appriver-hipaa-compliance-whitepaper.