Section 1: The Origins of HIPAA Compliance & HIPAA Compliant Email
HIPAA compliance and HIPAA compliant email. Two essential factors in becoming a biddable professional health organization or business. HIPAA compliant email may even be more important than the business itself because without it you could not only face severe financial penalties but criminal penalties as well…
So, what exactly is HIPAA compliant email? Why does a health organization need HIPAA compliant email & why is it important?
If you are new to owning a medical business, work for one, or are just generally curious about HIPAA compliance and HIPAA compliant email guidelines and rules you have come to the right place!
First off, let’s dive into the origins of HIPAA and HIPAA compliant email. Where did it come from? Who started it and why?
HIPAA is an acronym that stands for, Health Insurance Portability and Accountability Act (HIPAA), and is a United States federal statute enacted by the 104th United States Congress and was signed into law by President Bill Clinton on August 21, 1996.
The purpose of HIPAA and HIPAA compliant email was to simply ensure the safety and confidentiality of healthcare data or Protected Health Information (PHI). It was also intended to improve data systems and reduce online fraud. HIPAA compliant email really just comes down to data security.
The enactment of HIPAA and HIPAA compliant email marked the beginning of reforming the transmittal of data from within the healthcare industry and helped to guarantee that employees would not lose their health insurance coverage while in the midst of changing jobs. While HIPAA compliance was really the groundwork for introducing better-protected healthcare, it also paved the way for establishing the Security Rule and the Privacy Rule.
These rules were originally created by the Secretary of Health and Human Services (HHS), who wanted to set even higher regulatory standards for the transmittal of private healthcare data, PHI, and ePHI, Electronically Protected Health Information. The Security Rule, which was passed just 2 years after HIPAA was signed into law, improved the standards and regulations of a person’s health-related information being transmitted between healthcare providers, businesses, health plans, and other organizations. The Privacy Rule mirrored much of what the Security Rule was established to do, except it heavily focused on safeguarding PHI.
PHI was officially defined by the Privacy Rule as any information within a person’s medical record that can directly link them to the proposed data being held by a covered entity. There are 18 specified indicators, identified by HIPAA and the Privacy Rule as,
- Specific names
- Addresses containing information indicating specific residencies
- Telephone Numbers
- Personal Email Addresses
- Social Security Numbers
- Medical Record Numbers
- Health Plan Beneficiary Numbers
- Account Numbers
- Driver’s License Numbers
- Any Personal Vehicle Information
- IP Addresses
- Web URLs
- Fingerprints or Voiceprints
- Serial Numbers of any kind
- Fax Numbers
- Any Specific Dates of patients
- Any other specific identifiers of a person’s identity
The Privacy Rule also made it easier for patients to access their own data and records. This rule was initially proposed in 1999 during President Clinton’s second term and officially signed into law on December 28, 2000, just weeks before Clinton’s second term had ended. HHS then immediately proposed even more revisions towards the law, most importantly assigning The Office of Civil Rights, an agency from within HHS, to administer and carry out HIPAA compliant email laws, regulations, fines, and penalties.
By 2005, failings to comply with HIPAA compliant email laws and regulations had already begun to surround the healthcare industry and its fellow organizations. HHS decided to introduce The HIPAA Enforcement Rule, which essentially allowed HHS to conduct investigations relating to the unlawful practice of HIPAA laws directly correlating to covered entities. This law made it possible for HHS to fine these covered entities for breaches of ePHI, assuming they could have been avoided by following the Security and Privacy Rules.
Establishing the Enforcement Rule also made it possible for an individual to file a civil lawsuit against any covered entity suspected of sharing any personal data without consent causing the said individual “serious damage”.
With the passing of the Enforcement Rule and the rise of digital technology, by 2009 nearly all health organizations had gone digital so President Obama passed the Health Information Technology for Economic and Clinical Health Act, or the HITECH Act. This law required healthcare organizations to begin using Electronic Health Records (EHRs), which helped to protect private healthcare data and allowed much higher fines which in response, heavily increased the cost of HIPAA noncompliance.
After the Enforcement Rule was passed in 2009, the Breach Notification Rule followed. This rule required that any malicious activity or breach of ePHI by a covered entity that would directly impact the security of at least 500 person’s or more be documented and reported to the OCR along with sending issued warnings to potential patients affected by the breach.
Finally, and most recently in 2013, the HIPAA Omnibus Rule was passed, which essentially reformed and updated the previous, Security, Privacy, Breach Notification, and Enforcement Rules, and adding that it was mandatory for not only businesses but their associated employees and clients to all become HIPAA compliant based on said rules.
So, to recap, HIPAA compliance was established to better protect the private data linked to healthcare organizations, associated employees, their counterparts, and the general public. HIPAA compliance for email involves strict legislation and it is in the best interest of any healthcare-related company, big or small, to become HIPAA compliant because trust me non-compliance is something nobody can afford!
Section 2. How to Become HIPAA Compliant
Now that we have covered the basics of HIPAA compliance and HIPAA compliant email, let’s dive into how one can obtain HIPAA compliance for email to avoid HIPAA fines and penalties.
Your best bet in avoiding HIPAA fines and penalties is an obvious one… Become HIPAA compliant! So how does one become HIPAA compliant and what are the necessary steps?
First off, whether you are a new healthcare organization or have been around for 50 years, any healthcare establishment should always have a HIPAA-compliant checklist. This will help an establishment to not only learn the ins and outs of what it means to be HIPAA compliant but to also implement a set of procedures that can be tailored to your specific organization.
In order to comply with the guidelines of HIPAA, you will need to read the full text of HIPAA, (45 CFR Parts 160, 162, and 164), fortunately, the Department of Health and Human Services’ Office for Civil Rights has summarized this section into 115 pages.
Another way a healthcare-related organization can become HIPAA compliant is by simply working with a third-party HIPAA compliant solutions provider, such as NeoCertified. A HIPAA compliant solutions provider will essentially do all the hard work for you, and can also help an organization confirm that they’re your own policies, procedures, practices, etc. are all in line with the rules and regulations of HIPAA.
It is also vital to train your staff annually on their responsibilities related to HIPAA compliance and HIPAA compliant email violations and laws; make sure policies and procedures are accessible at any time for employees to review and evaluate. Confirm that all associated partners and vendors dealing with healthcare-related data sign an agreement that they will abide by HIPAA compliant email violation laws and procedures, this agreement should be signed by any individual that handles ePHI.
Be aware of all State and Federal level HIPAA compliance and HIPAA compliant email laws; a good practice is to do your research quarterly on changes to HIPAA/HITECH violation laws that may have taken place. If you do not have the staff to do your own research, you can always hire a HIPAA/HITECH third-party consultant.
Know that not one single policy, procedure, or product can ensure HIPAA compliance. So, make sure that everyone in your organization understands the laws and regulations surrounding HIPAA and HIPAA compliant email.
Finally, when sending sensitive healthcare-related data, understand that even if you are protected by a third-party HIPAA consultant, breaches and hacks can still happen. The most common ways data breaches can occur may include lost or stolen devices such as cellphones, tablets, or laptops. Improper keeping of unsecured records, lack of employee training, sharing PHI, improper disposal of records, unauthorized release of information, and the sending of unencrypted sensitive data.
Section 3. How to Make Your Email HIPAA Compliant
Most healthcare-related businesses and organizations deal with the sending and receiving of digital private or sensitive data, and if you are sending this type of information across a standard email application such as Gmail you could be in some serious trouble, but don’t worry, with a few extra steps the majority of standard email providers can become HIPAA compliant.
Whether you are using Microsoft Outlook, Edge, Office 365, or Gmail as standard email applications it is highly likely that you are sending across an unencrypted server that could potentially be intercepted by internet thieves. To steer clear of this all you will need to do is partner with a third-party HIPAA compliant email provider, such as NeoCertified.
NeoCertified integrates with almost all the popular standard email applications out there, so you don’t even need to leave your email browser to send secure emails. NeoCertified also offers Business Associate Agreements (BAA), to small, medium, and large-sized businesses free of charge!
What is a Business Associates Agreement, and why would a business need it? Glad you asked!
A BAA is a written agreement between to associated parties that is part of HIPAA compliance and HIPAA compliant email protocol and creates a “partnership” of liability, connecting the two together, so that if one violates the BAA, then the other can take legal action. When a covered entity, organization, or associate hires a third-party solutions provider, they MUST sign a BAA to comply with the regulations of HIPAA and HIPAA compliant email. Failing to do so could result in large fines and in some extreme cases, jail time.
Keep in mind, the technology of email was invented to deliver messages, not to protect them, so even if your standard email application provides Transport Layer Security (TLS) encryption, this still does not mean that your emails are 100% protected. TLS security relies heavily on the recipient having it as well, so if they do not have TLS encryption integrated into their email application, it is likely that the email you think you sent encrypted, was in fact not!
Section 4. Overview
Achieving HIPAA compliance for email can definitely be an overwhelming process, but it doesn’t have to be. To start, always create a checklist that you can use and refer back to once you begin the process.
First, know that protecting a client or customer’s private information should not have a limit when it comes to cost. The consequences associated with HIPAA compliant email fines are something no business can afford and can easily be avoided by simply becoming HIPAA compliant. The fines given to those who are in noncompliance with HIPAA range from the tens of thousands to the millions of dollars, which are solely based upon the severity of the situation. This clearly shows that the main concern of HHS is to value and protect patient information and privacy, and it should be yours too.
Second, you don’t need to empty your pockets when partnering with a third-party HIPAA compliant email solutions provider, the majority of HIPAA compliant email solutions providers are very affordable and cost-effective, even offering bundles to suit your specific business that won’t run you more than a couple of hundred bucks a year. At the end of the day would you rather pay a few hundred bucks or less for a solution that benefits your business or a few thousand in fines resulting from penalties associated with HIPAA breaches? The answer should be simple…
Lastly, you also don’t need to go all out looking for a solution with all the “bells & whistles”, unlimited storage, or the highest premiums, just look for a solution that properly encrypts your emails, has an implemented easy-to-use process for your recipients to open your secure emails, provides a HIPAA compliant email BAA, and offers technical support. It really can be that simple, and always, always, always remember to make a checklist so you can document everything YOUR organization will need to become HIPAA compliant!
Written by Peter J. Schaub
President & CEO, NeoCertified
***Disclaimer*** None of the provisions of this document constitute legal advice. If you need legal advice regarding the information provided in this document, please consult your HIPAA consultant or attorney.