Is Your Email HIPAA Compliant?
Questions about email privacy are top on the list of things that people ask us about.
Lots of independent medical practices reach out to us because they are unsure whether their email system meets HIPAA compliance requirements. They also want to know how their medical practice can utilize the benefits of collaborative inbox tools like Outpost and still be HIPAA compliant.
Healthcare providers are increasingly being asked by patients to use email to communicate. For doctors and patients, email communication and collaboration can not only be allowed but encouraged, as long as you know the rules and your email tool follows them. Here’s what you need to know.
Congress passed the Health Insurance Portability and Accountability Act, or HIPAA (pronounced HIP-uh) in 1996. Before that, patient privacy was inconsistently covered by different state and federal regulations. HIPAA was the government’s attempt at bringing the patchwork of patient privacy regulations under one consistent federal umbrella.
Back in 1996, HIPAA compliant email was not something many doctor’s offices worried about. The digital landscape was completely different. Google didn’t exist yet, and many doctor’s offices still kept paper-based records.
Times have changed. Patient records, appointment confirmations, and health insurance documents are transmitted electronically. Healthcare providers must know the HIPAA email rules, and whether their patient’s PHI (protected health information) is transmitted securely.
Penalties for HIPAA violations can range from $100 to $50,000 each, or even criminal penalties or imprisonment. But it’s not as simple as whether your email app itself is HIPAA compliant. It has a lot to do with how you and your medical practice use it.
What are the rules about HIPAA email?
Under HIPAA rules, doctors can email each other about patients, and doctors can email patients directly. But the communication must be safeguarded to avoid inappropriately disclosing patient information. For instance, accidentally sending patient communication to the wrong email address would be a violation of HIPAA email rules. Sending email over a server that could be accessed by an outside party would also be a problem. Here is a list of a few HIPAA email compliant server options to help you get started.
“Basically, if they’re using any out-of-the-box email solution, it is not HIPAA-compliant, regardless of the information that is in the email,” says David Erickson, co-founder and vice president of MD EMR Systems, a company offering medical records migration and consulting. “You usually have to get add-ons to make some email systems compliant.”
If you’re specifically looking for information on Outpost and HIPAA compliance, click here.
Don’t send unless it’s encrypted
No matter what email service you’re using, whether it’s Gmail for business, or a collaborative inbox like Outpost, the HIPAA Security Rule says email to patients must be encrypted. To put it in plain language, encryption basically makes your email unreadable to anyone but the intended recipient.
There’s a lot going on behind the scenes, invisible to the average email user, each time an email is sent and received. You write an email to a patient and press send. The email goes to your email server. Then your server sends the email to your patient’s email server, which then delivers the email to your patient’s inbox.
If either server is not responding for some reason or fails, the message is sent to another server. Copies of the emails are kept on each server, so with every press of the send button, there are numerous points along the way where email data is vulnerable to hackers—if it is not encrypted. Without adding encryptions, server-to-server transmission of electronic data is vulnerable to hackers. Regardless of what email system is used, thwarting unauthorized access to the data is key to following HIPAA email rules.
“The biggest thing that the doctors need to think about when they or their front desks are communicating with another entity by email, regardless of who that is, is who has access to the email server,” says Ken Sanders, an IT consultant for MD EMR Systems. “What are the possibilities that someone can be sitting in the middle of your communication chain with access to the server?”
Email hackers might not gain useful information from one email. But if a hacker gains access to the inbox, they could put a lot of information together that could be damaging to the patient as well as the practice.
“The encryption is to ensure that the information contained within the email cannot be intercepted or received by any party other than the intended recipient,” explains Joe Bilello, director of marketing for Compliancy Group, HIPAA compliance consultants and providers of cloud-based compliance software. “This includes doctor-to-patient and doctor-to-doctor communications. The risk of a data breach can increase exponentially by not utilizing email encryption services.”
What if your patient’s email server doesn’t have the same encryption level as your medical office?
Email can be encrypted as it leaves your server, but it is more difficult to ensure that the email remains encrypted when it is accessed by your patient’s server. They would need to have access to the same level of encryption as your server.
HIPAA acknowledges this possible discrepancy, and ensures that covered entities (health plans, healthcare clearinghouses, and healthcare providers) are not liable for disclosure of PHI if the information is intercepted in transit provided they are complying with a patient’s (or responsible party’s) request to receive their information in an unsecured manner. Covered entities are also not responsible for the security of the information once it is delivered to the patient or responsible party.
Doctor-to-doctor and doctor-to-patient communication
Doctors are not required to receive patient authorizations to share PHI with another doctor via email, explains Bilello, provided there is a pre-existing relationship between the patient and the doctor. “If no current relationship exists between patient and doctor, the doctor must obtain a signed authorization for disclosure from the patient before they can transmit PHI to another doctor via email.”
Unencrypted email is allowed as long as safeguards that protect privacy are in place, such as limiting the information that is transmitted via email. Eighteen PHI identifiers must be treated securely. These include patient names, geographic regions smaller than a state level, birth dates (other than year), phone numbers, and email addresses. “Basically, it’s anything that could ID the patient if the information was put together by someone on the outside,” explains Sanders.
Patients have the right to request unencrypted email communication, but they must explicitly authorize email communication from their providers, and they also must specifically authorize receiving unencrypted communication, according to the U.S. Department of Health and Human Services HIPAA FAQs. The healthcare provider must comply, as long as that method of communication does not present an unacceptable level of security risk to the PHI.
“Another important element of the HIPAA Privacy Rule is the minimum necessary standard, which states that only the minimum necessary amount of PHI may be sent or released in order to fulfill a given request,” says Bilello. “That means that email communications to patients containing PHI should be limited to include only the minimum amount of PHI necessary to fulfill a patient’s request.”
Creating a culture of compliance
HIPAA consultants can help healthcare providers navigate the issues surrounding email and privacy. Bilello notes, however, that consultants may help a healthcare provider identify risks, but that it can be difficult for the office to maintain a culture of compliance, as well as the infrastructure to ensure continued compliance once they are no longer working with the consultant.
“It’s important to remember that HIPAA is a complex series of interlocking standards,” says Bilello. “Any practice would do well to implement email security and compliance measures. Just remember that this is only a small portion of what the law requires. Educating yourself about your HIPAA requirements as a healthcare provider is the best way to keep sensitive healthcare data safe and protect yourself from data breaches, HIPAA investigations, and fines. Make sure that however your practice is addressing HIPAA, you’re creating a total HIPAA compliance program.”
In general, email by itself isn’t HIPAA-compliant or non-compliant. The key is to ensure that doctors and staff know what information is permissible to transmit by email and what isn’t, along with knowing the security of the email system.
Organizations have different ways of handling HIPAA compliant email. Dr. Neil Khilnani, a vascular radiologist and associate professor at Weill Medical College at Cornell University in New York, doesn’t ever use email or text to communicate with patients, per Cornell policy. “The only private way to communicate with patients on campus is to use Cornell-to-Cornell encrypted email or a MobileIron cell phone network,” Dr. Khilnani says.
Patient portals are also an option that allows patients access to secure file transfers and to electronically access their medical records, upcoming appointment information, and appointment history by logging into a secure area.
The office of Dr. Joseph Jenkins, a vein surgeon with the Tri-State Vein Center in Dubuque, Iowa, does communicate with patients via email through a secure email portal. “The EMR we use has a patient portal connected with it,” Dr. Jenkins says. “We have to know the email address of the patient. The patient is given a temporary password and the patient has to log into the patient portal by following the link on the Tri-State Vein Center website.
“The patient then changes their password. We can then email them messages that contain HIPAA content via the portal system. The message that they receive is generated by the EMR and is encrypted. The patient can email the center with HIPAA content and it is encrypted to us only through the patient portal. We instruct the patients that want to set this communication up that this is the only way that we have to ensure that the information is protected.”
Outpost and HIPAA email
Outpost is an email collaboration tool that works on top of Gmail. Outpost offers secured server communication between Outpost and Gmail. Google (Gsuite) offers this guide on HIPAA compliance, where they state that they require practices seeking to be HIPAA-compliant to complete a Business Associate Agreement (BAA). They also recommend using Google Docs (set to private) to send PHI to patients.
When email is used in a healthcare provider setting, it is crucial to know who sent what email to, and when. Doctors’ offices typically have several patient managers who are setting up appointments, emailing out appointment reminders, and managing billing and other patient communication.
With a shared inbox that users get with email collaboration software like Outpost, each staff member receives their own login, which makes it easy to see who has done what. If a staff member is on vacation or out sick, the other staff members can use the same inbox, with their own login to continue getting work done. And of course, Outpost only uses state-of-the-art secure servers.
One issue surrounding email privacy is exposing a patient’s sensitive information to people who don’t need to see it. Forwarding an email to various members of an office and getting replies to and from everyone can unnecessarily expose sensitive details. Outpost allows teams to add internal, private notes to emails that only the team can see. The notes allow the team to discuss the best way to respond to an email and to collaborate on drafts without having to forward emails in never-ending rounds.
Smart email solutions such as Outpost also allow you to route emails to the correct person on the team, so that no one who isn’t supposed to get an email ends up getting one by mistake.
Email can be an efficient way for healthcare providers to communicate both internally among staff and externally with patients. Using an email system that understands the issues surrounding HIPAA-compliant email eases the burden of other cumbersome communication methods and provides patients with their information in a way that most people in today’s world want and need.