Healthcare Organizations Need HIPAA Compliant Email.
Last updated 4/11/22. As the world started to rely on digital communication more and more, HIPAA compliance guidelines expanded to our email inboxes. Learn more about achieving HIPAA email compliance in this guide.
The Origins of HIPAA
If you are new to owning a healthcare business, have worked for healthcare organizations for years, or are just generally curious about HIPAA-compliant email guidelines, you have come to the right place!
HIPAA is an acronym for Health Insurance Portability and Accountability Act. It is a United States federal statute enacted by the 104th United States Congress and was signed into law by President Bill Clinton on August 21, 1996. The purpose of HIPAA was to ensure the safety and confidentiality of patients’ data, also known as Protected Health Information (PHI).
The enactment of HIPAA marked the beginning of reforming data transmission within the healthcare industry and helped guarantee that employees would maintain health insurance coverage in the midst of changing jobs. While HIPAA laid the groundwork for introducing better-protected healthcare, it also paved the way for establishing a series of additional rules to better protect patient privacy.
Why the Privacy and the Security Rule?
The Secretary of Health and Human Services (HHS) initially created The Security Rule and The Privacy Rule to set even higher regulatory standards for the transmission of PHI and ePHI (electronically stored, protected health information).
PHI refers to any information within a person’s medical record that can directly link them to the data held by a covered entity. HIPAA regards the following 18 indicators as PHI:
- Specific names
- Addresses containing information indicating specific residencies
- Telephone Numbers
- Personal Email Addresses
- Social Security Numbers
- Medical Record Numbers
- Health Plan Beneficiary Numbers
- Account Numbers
- Driver’s License Numbers
- Any Personal Vehicle Information
- IP Addresses
- Web URLs
- Fingerprints or Voiceprints
- Serial Numbers of any kind
- Fax Numbers
- Any Specific Dates of patients
The Security Rule was proposed in 1998, just two years after HIPAA was signed into law, to improve the standards and regulations of a person’s health-related information when transmitted between healthcare providers, businesses, health plans, and other organizations.
The Privacy Rule focused more on safeguarding personally identifiable information and made it easier for patients to access their data and records. This rule was initially proposed in 1999 during President Clinton’s second term and officially signed into law on December 28, 2000, weeks before Clinton’s second term ended. HHS immediately proposed even more revisions to the law, most importantly assigning The Office of Civil Rights, an agency from within HHS, to administer and carry out HIPAA compliant laws, regulations, fines, and penalties.
The Enforcement Rule.
By 2005, failures to comply with HIPAA laws and regulations had already begun to surround the healthcare industry and its fellow organizations. HHS decided to introduce The HIPAA Enforcement Rule, which essentially allowed HHS to conduct investigations into suspected violations of HIPAA. The Enforcement Rule also gives HHS the power to determine liability and calculate financial penalties for organizations or individuals found to have breached HIPAA laws, assuming the breach could have been avoided by following already established rules.
The Enforcement Rule also made it possible for an individual to file a civil lawsuit against any covered entity suspected of sharing any personal data without consent, causing the said individual “serious damage.”
By 2009, nearly all health organizations had gone digital, so President Obama passed the Health Information Technology for Economic and Clinical Health Act, or the HITECH Act. This law required health providers to begin using Electronic Health Records (EHRs), which helped protect private health data and allowed much higher fines which, in response, heavily increased the cost of HIPAA noncompliance.
The Breach Notification Rule.
Added in 2009, The Breach Notification Rule requires organizations to notify patients of privacy breaches. According to this rule, any malicious activity or breaches of ePHI by a covered entity that would directly impact the security of at least 500 persons must be documented and reported to the Office for Civil Rights (OCR). By law, organizations must notify patients potentially affected by a breach.
Most recently in 2013, the HIPAA Omnibus Rule was passed, which reformed and updated the already established rules. The Omnibus Rule made it mandatory for businesses, associated employees, and clients to become HIPAA compliant based on said rules.
What is HIPAA Compliant Email?
Today, most healthcare-related businesses and organizations deal with the digital exchange of sensitive data. If you send this type of information across a standard email application, you may risk a HIPAA violation. (Get some more info on exactly what HIPAA-compliant email is/means here)
Is My Email HIPAA Compliant?
The purpose of an email is to deliver messages, not to protect them. Email is not HIPAA compliant by default. Even if your standard email application provides Transport Layer Security (TLS) encryption, this still does not mean that your emails are 100% protected. TLS security relies heavily on the recipient having it as well, so if they do not have TLS encryption integrated into their email application, you may believe you sent an encrypted email when you did not.
Is Microsoft Outlook or Gmail HIPAA Compliant?
Unfortunately, even the most common email service providers are not equipped with safeguards against HIPAA violations. Whether you use Microsoft Outlook, Edge, Office 365, or Gmail as standard email applications, you are likely sending across an unencrypted server that internet thieves could potentially intercept.
The good news is, with a few extra steps, you can have confidence that you’re communicating through a HIPAA-compliant email service.
Tips for Utilizing HIPAA Compliant Email.
Your best bet in avoiding HIPAA fines and penalties is an obvious one… Become HIPAA compliant! Here are some suggestions on how to start the process of aligning your organization with HIPAA privacy practices.
Understand the HIPAA Guidelines.
Be aware of the most up-to-date state and Federal level laws. A good practice is to do your research quarterly on changes to HIPAA/HITECH violation laws that may have taken place. If you do not have the staff to do your research, you can always hire a HIPAA/HITECH third-party consultant. Know that not one single policy, procedure, or product can ensure 100% compliance. So, make sure that everyone in your organization understands the laws and regulations surrounding HIPAA.
To comply with HIPAA guidelines, you will need to read the full text of HIPAA (45 CFR Parts 160, 162, and 164); fortunately, the Department of Health and Human Services’ Office for Civil Rights has summarized this section into 115 pages.
Work with an Email Compliance Solutions Provider.
Organizations that lack the time or ability to become compliant can opt for a third-party HIPAA compliant solutions provider. A HIPAA-compliant solutions provider will do all the hard work and can also help your organization confirm that your policies, procedures, and practices are in line with the rules and regulations of HIPAA.
NeoCertified Secure Email integrates with almost all the popular standard email applications out there, so you don’t even need to leave your email browser to send secure emails. NeoCertified also offers Business Associate Agreements to small, medium, and large-sized businesses free of charge!
Implement a Business Associates Agreement.
A Business Associates Agreement (BAA) is a written agreement between associated parties that create a partnership of liability. If one partner violates the agreement, the other party can take legal action. When a covered entity, organization, or associate hires a third-party solutions provider, they must sign a BAA to comply with HIPAA and HIPAA compliant email regulations.
Create a HIPAA Checklist.
Whether you are a new organization or have been around for decades, be sure to have a HIPAA-compliant checklist ready, available, and prominently displayed. A checklist will help an establishment learn the ins and outs of being HIPAA compliant and implement a set of procedures tailored to your specific organization.
Train your Staff in Email Security!
It is also vital to train your staff annually on their responsibilities related to compliance laws, how to send a secure message, and what constitutes a HIPPA violation. Make sure the most up-to-date policies and procedures are accessible at any time for employees to review and evaluate. Confirm that all associated partners and vendors dealing with patient data sign an agreement that they understand the consequences of violating HIPAA laws and abide by all best-practice standards. All parties that handle ePHI should sign this agreement.
Get Consent Before Handling Sensitive Data.
HIPAA-covered entities should note that while it may be convenient to send emails containing ePHI to patients, consent to use email as a communication method must be obtained from the patient in writing before any ePHI is sent via email, even if a HIPAA compliant email provider is used. Patients must be advised that there are risks to the confidentiality of information sent via email. If they are prepared to accept the risks, emails containing ePHI can be sent without violating HIPAA Rules.
Understand HIPAA Breaches May Still Happen.
Finally, when sending sensitive information, understand that even if a third-party HIPAA consultant protects you, breaches and hacks can still happen. In many cases, violations are purely innocent. Some of the most common HIPAA violations include:
- Lost or stolen devices
- Improper keeping of unsecured records
- Lack of employee training
- Sharing PHI
- Improper disposal of records
- Unauthorized release of information
- Sending unencrypted sensitive data
The Cost of a HIPAA Violation.
Even if there is no ill intent, a healthcare facility can still be found guilty of a HIPAA violation. Since the Privacy Rule was enacted in 2003, Health and Human Services (HHS) received over 275,000 HIPAA complaints, initiated over 1,100 reviews, and resolved 98% of cases. In some cases, HHS found no violation occurred. The average cost of a breach varies widely depending on whether malicious intent was detected, the degree of negligence, the number of people affected, and the projected risk to victims as a result of the breach.
It’s always better to be proactive when it comes to patient confidentiality. Severe violations can cost healthcare professionals millions of dollars, and potentially even time in jail. Some of the most well-known and expensive cases include:
- New York-Presbyterian Hospital and Columbia University Medical Center paid a combined $4.8 million in fines back in September of 2010. In an attempt to deactivate a personal computer, a physician compromised the ePHI of nearly 7,000 patients. Since the data was stored on a shared network, both facilities shared responsibility.
- Cignet Health of St. George County paid $4.3 million in fines after denying 41 patients access to their medical records.
- Children’s Medical Center of Dallas was fined $3.3 million after having undergone two cybersecurity gap analyses and failing to implement the recommendations. Unencrypted devices were found to be responsible for the exposure of the data of 6,284 patients.
- The University of Washington Medicine paid a $750,000 penalty after an employee fell for a phishing scam, downloading an attachment that contained malware and compromised the data of 90,000 individuals.
Elite Dental Associates in Dallas, Texas responded to a negative Yelp review, unintentionally revealing PHI, resulting in a $10,000 fine.
Work with the Best HIPAA Email Encryption Services.
HIPAA was established to protect the private data linked to health systems, associated employees, their counterparts, and the general public. Compliance involves strict legislation, and it is in the best interest of any healthcare-related company, big or small, to become HIPAA compliant both from an ethical and financial standpoint.
As the world relies on digital communication more and more, healthcare professionals must ensure all email communication is HIPAA compliant. While it might feel overwhelming, it doesn’t have to be – especially when you work with a third-party vendor, like NeoCertified.
An effective HIPAA-compliant email solution is simple – it encrypts your emails, is easy to use, offers a Business Associates Agreement, offers technical support, and won’t break the bank. For just a few hundred dollars a year, your healthcare business can be in a better position to protect your patient data, and stay compliant with HIPAA regulations. Learn more about the best HIPAA-compliant email solutions with NeoCertified – contact us today!
**Disclaimer** The content displayed in this article is merely for educational purposes. It is not intended or claimed to be a substitute for legal or professional advice. Should you decide to act upon any information listed above, you do so at your own risk!
While the information in this article has been written and researched to the best of our abilities, we can not guarantee that there are no mistakes or errors.
We also reserve the right to edit or change this policy at any given time, of which an update will be listed at the top of the article on said date. If you want to make sure you are up to date with the latest changes in HIPAA compliance or HIPAA email policies we encourage you to frequently visit this page – thank you.