Tips for HIPAA-Compliant Email Communication


 Image source:

When the Health Insurance Portability and Accountability Act (HIPAA) was signed in 1996, email communication was just gaining traction among the general public. The laws protected electronic storing and sharing of patient information, but email was not specifically cited in the original form. Instead, HIPAA calls on healthcare providers to offer “reasonable safeguards” to keep the electronic information of patients secure.

Some healthcare organizations take the omission of email from the law to mean it completely prohibits email use. That’s not the case, though. Secure email communication and HIPAA compliance can live harmoniously, but there are some necessary precautions.

Physicians and other healthcare professionals who use email communication for anything pertaining to HIPAA-protected data must take the proper steps to ensure its safety. Failure to take HIPAA compliance seriously in email can lead to potential theft of patient information, lawsuits, and even fines or sanctions from the government.

Keep your emails HIPAA-friendly by taking these important steps.

Empower Your Staff

It’s not enough to have your employees sign a HIPAA privacy statement once a year. Staff should have training on HIPAA email scenarios that are specific to your practice or organization. This should include examples of what items are HIPAA-protected in electronic communication, where to go for help if a suspected privacy breach occurs, and who’s in charge of encrypting the HIPAA information. By explaining HIPAA policy in real terms, your staff can have a better handle on their own responsibilities when it comes to protecting ePHI (electronic protected health information). You should also go over the consequences to the individual and organization should something or someone compromise HIPAA email privacy.

Enable Email Encryption
This step starts with understanding how email encryption works. An encrypted email needs authentication so the user can read it. For example, a bank might send an encrypted email statement that requires an additional password. Most people think that the electronic messages they send from personal or work emails have encryption protection, but this often isn’t the case. Even large email providers like Google Apps don’t offer encryption by default; people who want it must pay for it separately. Educate your employees on when emails are encrypted and when they are not. It’s best to reduce the number of email decisions your staff has to make by encrypting all emails as a default. That is, it’s much safer to have users actively opt out of the use of encryption when it isn’t needed, than to have them accept responsibility for remembering to opt in to encryption when necessary. This behind-the-scenes step can save healthcare organizations a lot of headaches when it comes to avoiding email breaches due to user error.

Make Vendors Official
You can only do so much yourself when it comes to protecting the sensitive information of patients. Most healthcare organizations work with outside vendors, and patients grant permission for information sharing that’s in the best interest of their health. To ensure that your vendors value HIPAA compliance in email, ask them to sign a Business Associate Agreement; it’s a requirement under HIPAA law.

Obtain Consent
Inform patients of the risks associated with electronic sharing of patient health information (this risk is greatly reduced with encrypted email) and then have them sign off on it. If you have a patient who is adamantly averse to electronic communication or sharing of data, honor this by allowing that patient to opt out. Make sure your consent form lists vendors and other healthcare entities as recipients of the potential data.

Add an Email Privacy Statement
Talk with your email encryption provider or IT department about adding an automatic privacy statement to the bottom of all emails. This statement should contain language that lets the reader know all the information inside is completely confidential and intended only for that reader. These statements cannot force people to stop reading, of course, but they’re certainly a deterrent to anyone who may accidentally open an email not intended for them.

Use an Email Archive System
Part of HIPAA compliance when it comes to email is having an archival system in place. An email archive is not a specific requirement, but under HIPAA law, you must retain electronic communications for six years, and you must have backups and emergency access to data. A HIPAA-compliant archival system stores the original sent and received emails, even if you delete those emails from inboxes or other basic folders. Once archived, there is no way to edit or forge any information in that email. Using a strong email archival system heightens the organization’s credibility if someone ever questions or sues about the communications.

Perform Annual Security Reviews
If HIPAA law applies to you, then you must annually review your security policies. This is particularly important when it comes to email communications. Hacked or unintentionally leaked emails leave patients’ sensitive information vulnerable. To prevent against these scenarios, security reviews examine network stability, well-trained staff, the wording of electronic communication policies, and even that operational systems are up to date.

Since the goal of HIPAA-compliant email systems is to protect patients, all electronic communications policies should start there. When you’re developing your own HIPAA email procedures, remember that the purpose is to first safeguard patient data and second to protect your own healthcare organization. Health-related information is some of the most sensitive of all, and the convenience of email and other electronic systems should never overshadow the responsibility of physicians and healthcare groups.

Contributed By: LuxSci founder Erik Kangas has an impressive mix of academic research and software architecture expertise, including: undergraduate degree from Case Western Reserve University in physics and mathematics, PhD from MIT in computational biophysics, senior software engineer at Akamai Technologies, and visiting professor in physics at MIT. Chief architect and developer at LuxSci since 1999, Erik focuses on elegant, efficient, and robust solutions for scalable email and web hosting services, with a primary focus on Internet security. Lecturing nationally and internationally, Erik also serves as technical advisor to Mediprocity, which specializes in mobile-centric, secure HIPAA-compliant messaging. When he takes a break from LuxSci, Erik can be found gleefully pursuing endurance sports, having completed a full Ironman triathlon and numerous marathons and half Ironman triathlons.