Home  |   Subscribe  |   Resources  |   Reprints  |   Writers' Guidelines

E-News Exclusive

Before You Hit ‘Send’ ... Ensuring HIPAA Compliant E-mail Transmissions

By Jeff Willard

HIPAA compliance often keeps doctors and other health care professionals up at night. Yet, since the health care profession requires intense study and concentration, it’s no wonder there is not a lot of mindshare devoted to learning the minutiae inside a dense rulebook filled with a complex set of regulations.

HIPAA requires health care organizations to comply with specific security, privacy, and breach notification rules for the storage and transmission of protected health information (PHI), including electronic data. All health care professionals should have a solid knowledge of HIPAA requirements. But health care providers who establish their own smaller practices—especially the ones without the means to hire an administrative staff—need to understand the regulatory framework. This is particularly important when it comes to transmitting sensitive information via e-mail.

The following are four tips to avoiding a HIPAA headache, but more importantly ensuring compliance and security risks are avoided:

• Be prepared for a HIPAA audit. Many health care organizations are concerned about a governing body initiating an audit; however, there are many ways that practices can come under scrutiny for HIPAA compliance violations related to e-mail. For example, an audit can originate from a patient reporting an unencrypted e-mail or from an orthodontist for the same issue. In the worst case, an e-mail server might be hacked, revealing unencrypted patient information.

Those who fail to adhere to HIPAA could face significant fines, in some cases ranging into the millions of dollars, and face jail time. Because violators are required to report their noncompliance to those affected, as well as to the media, they could also suffer reputation damage.

• Check your e-mail services. E-mail compliance requirements do not end in the doctor’s office—they extend to the practice’s technology providers as well. Health care organizations must ensure that the partner also complies with HIPAA standards. The provider must be diligent in the same risk analysis, administrative, physical, and technical safeguards.

Many medical professionals and practices use consumer-grade e-mail services such as Gmail or AOL for their businesses. While using these e-mail services doesn’t necessarily mean the practice is out of compliance, they are designed to be cheap, easy-to-use platforms that serve a massive base of casual users—not medical professionals. Thus they often provide inadequate security and privacy measures to safeguard confidential and sensitive data.

• Don’t neglect e-mail encryption. Beyond just using a compliant e-mail system, e-mail encryption is critical—and it’s one of the most neglected aspects of HIPAA compliance. To hackers, an unencrypted e-mail message is similar to a postcard—open for anyone to read.

To remain compliant, health care organizations must secure the transmission of electronic PHI via end-to-end e-mail encryption, ensuring that data remain confidential and secure between the message sender and the intended recipient. Each e-mail must be encrypted in a way that ensures messages with a patient’s records are secure from the health care provider’s workstation to the next server it touches, all the way to the recipient’s device. Encrypting the message from sender to receiver is the only way to guarantee compliance.

• Train your staff. While policies and technology solutions are critical to HIPAA compliance, the weakest link in compliance risk is not the e-mail service or the office software—it’s the people interacting with patients. This liability can be reduced dramatically with effective staff training. One simple precaution is to instruct staff how to create strong passwords and continually update them.

Regardless of why a practice isn’t compliant, the fact is that unsecured e-mail services, untrained staff, and lax security can put confidential medical data at risk.

The threat landscape always is changing for HIPAA-compliant electronic data transmission. Follow these guidelines and secure your e-mail-based communications for the benefit of your patients and to reduce the risk of heavy fines.

— Jeff Willard is a strategic account executive specializing in the health care industry for AppRiver, a global provider of cloud-based cybersecurity and HIPAA security. For more information on HIPAA-compliant e-mail practices, download AppRiver’s free whitepaper at http://411.appriver.com/appriver-hipaa-compliance-whitepaper.