Email is everywhere but HIPAA imposed regulations that make it difficult to use this technology for healthcare without exposing your practice to some possible penalties if you’re not careful. Infractions are very subtle and your practice can be at risk even if you think you’re in safe waters. There is a lot of information out there which talks about the nitty-gritty of using email under HIPAA. Since HIPAA is very detailed, there are some surprising ways your current use of email might be violating HIPAA without you realizing it.
Seven ways your email might be violating HIPPA.
Not Having Consent from Patient
- Is this patient aware of the email security risks?
- Have I discussed other more secure methods of communication?
- Has the patient given a preference or consent for email?
- Have I documented the consent to use email even though other secure communication methods are available?
Want to avoid HIPAA violations?
Not Having a Business Associate Agreement
BAAs are vital legal documents that are required by HIPAA and help ensure that your business partners will treat your patients’ PHI with HIPAA compliance just as you do. In the case of email, your email providers should have systems in place like modern encryption in order to protect your data. A properly drafted BAA documents these assurances.
Even if your patient has consented to use an insecure email, you still need to have a BAA. Skipping it with your email provider will put you in a direct violation of HIPAA. Your patient may have agreed to the technical limitations of email but that does not mean you have a free pass to ignore major HIPAA requirements like the administrative and legal safeguards which only a proper BAA would give you.
Having a BAA But It’s Not Covering What You Believe It Does
Not Thinking About Technical Safeguards
HIPAA has highlighted technical safeguards in its regulations. These technical safeguards have to be present for systems that interact with electronic PHI. Not all of these security measures are indeed required under the law, but standard email fails to meet even the most lenient version of interpretation of this criterion.
Email technology has progressed over the last few years and there are lots of measures which can be taken to ensure your email is secure. Even with your patients’ consent to use insecure email, there is an argument that the healthcare provider still needs to do his best to minimize security risk. Not doing so can result in HIPAA violations.
Only Thinking About Technical Safeguards
Sending PHI Without Realizing It
Emailing Non-Patient
What Are The Alternatives to Email?
Looking for a better HIPAA compliant communication tool ?
Subscribe to our monthly newsletter