Blog

How to e-mail Safely

In the modern world it is nearly impossible to consider life without e-mail. It provides your patients with information they can refer to conveniently and frequently, if necessary. e-mail can provide you with an answer to a patient that doesn’t cause an immediate interruption to you or your office staff like a phone call does. However, sending protected information via unencrypted e-mail is a violation of HIPAA laws. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). There is a case that HHS is working on that is focused on the sending of unencrypted e-mails: https://www.databreaches.net/bjc-healthcare-raising-st-louis-notifies-participants-of-unencrypted-e-mails/

First, let’s clear the air about the law regarding e-mail encryption. Encryption of e-mail is not a mandatory requirement of HIPAA, it is classified as an addressable requirement. What exactly does addressable mean? Addressable requirements must be implemented, but the method of implementation is not specified; however, what is done must meet the requirements. This is how the HHS addresses this topic: https://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html

What solution other than encryption is the equivalent of encryption? I can’t think of any. So, in real-world terms encryption of e-mail is required. The challenge is how to implement encryption in a way that makes it easy to use for both the provider and the patient, plus be complaint with HIPAA law. Because we all understand that if it is not easy to use it will not be used. In the event that either the provider or the patient has to go through three or more extra steps to encrypt or to read an encrypted e-mail the solution will not be used. Furthermore, if the e-mail is encrypted and it is stored on the service providers servers they will be required to issue a BAA for a practice to be compliant. Most services will not do this or will charge a significant upcharge for doing so.

After determining that a reasonably priced single solution for encrypted e-mail was not available we chose to utilize two products, an e-mail service provider that will issue a BAA and an e-mail encryption tool that does not store the e-mail. There are times when a creative solution will yield the best results and the best price point. The result is a practice that can and does use e-mail to enhance the customer experience.

When in doubt check with security professionals (like Compunet). As a part of our All in One HIPAA Solution, we offer our clients a free risk analysis for their environment. Our solution includes one of the best e-mail encryption tools. Check out our quick quiz to see if your practice is compliant!

November 21, 2017 HIPAA Blogs
About admin

Leave a Reply

Your email address will not be published. Required fields are marked *