Is Your Email Violating HIPAA?

Email is everywhere but HIPAA imposed regulations that make it difficult to use this technology for healthcare without exposing your practice to some possible penalties if you’re not careful. Infractions are very subtle and your practice can be at risk even if you think you’re in safe waters. There is a lot of information out there which talks about the nitty-gritty of using email under HIPAA. Since HIPAA is very detailed, there are some surprising ways your current use of email might be violating HIPAA without you realizing it.

Seven ways your email might be violating HIPPA.

Not Having Consent from Patient

Explicit guidance has been offered by the U.S. Department of Health and Human Services (HHS) addressing how patients and healthcare providers can use unencrypted email for sharing protected health information (PHI) only if the patient is well aware of the security risks involved and still prefers email as a mode of communication over other available options. However, the flip side of this guidance is that failing to meet any part of its criteria will result in an immediate HIPAA violation. You can avoid this by asking yourself the following questions before emailing your patient:

Is this patient aware of the email security risks?
Have I discussed other more secure methods of communication?
Has the patient given a preference or consent for email?
Have I documented the consent to use email even though other secure communication methods are available?

Patient preference is a powerful tool for HIPAA compliance but its absence can turn into a powerful liability. It is easy to skip this compliance step but it is important to keep a strict check on it.

Want to avoid HIPAA violations?

Not Having a Business Associate Agreement

BAAs are vital legal documents that are required by HIPAA and help ensure that your business partners will treat your patients’ PHI with HIPAA compliance just as you do. In the case of email, your email providers should have systems in place like modern encryption in order to protect your data. A properly drafted BAA documents these assurances.

Even if your patient has consented to use an insecure email, you still need to have a BAA. Skipping it with your email provider will put you in a direct violation of HIPAA. Your patient may have agreed to the technical limitations of email but that does not mean you have a free pass to ignore major HIPAA requirements like the administrative and legal safeguards which only a proper BAA would give you.

Having a BAA But It’s Not Covering What You Believe It Does

Here is a surprise. It is not uncommon to hear healthcare providers saying that they have a secure email with a BAA but in fact that turns out to be a regular email with a BAA.

Email providers commonly offer a BAA which covers their internal and storage handling of your PHI but leaves all the responsibility for message transmission on the healthcare provider – the user. This is not malicious – it just reflects how the email provider is unable to control the internet beyond its walls. Despite recent developments, standard email transmission is not encrypted and is insecure which means no company will sign a BAA that states otherwise. As a healthcare provider, you will be responsible for message transmission under HIPAA so this omission cannot be ignored.

It is easy to get caught misinterpreting what a BAA will protect you from and what it would not protect you from. It becomes easy to violate HIPAA and put your patients’ PHI in danger by using an email service with a valid VAA in place.

Not Thinking About Technical Safeguards

HIPAA has highlighted technical safeguards in its regulations. These technical safeguards have to be present for systems that interact with electronic PHI. Not all of these security measures are indeed required under the law, but standard email fails to meet even the most lenient version of interpretation of this criterion.

Email technology has progressed over the last few years and there are lots of measures which can be taken to ensure your email is secure. Even with your patients’ consent to use insecure email, there is an argument that the healthcare provider still needs to do his best to minimize security risk. Not doing so can result in HIPAA violations.

Only Thinking About Technical Safeguards

It is great if you are ahead of the game on email security and have sorted out technical safeguards. Maybe you know all about TLS, DKIM, DMARC, and SPF among other internet security acronyms, and have systems in place for the end-to-end encrypted email system. However, you could still be violating HIPPA with your email. How?

Technical safeguards are not the only type of safeguards that HIPAA requires. The regulations also highlight administrative and physical safeguards which are absolutely critical to any HIPAA effort.

Administrative safeguards are basically documented workflow policies that healthcare providers have to follow to ensure secure PHI. One popular administrative safeguard is to communicate only the minimum necessary amount of information for any given interaction so that PHI exposure is kept low – even if there is a technical breach. Other administrative safeguards include keeping a privacy officer, regularly performing internal risks analysis, and administrating regular policy checkups. HIPAA requires these all and more too.

Physical safeguards are controls that healthcare providers need to put in place to ensure the physical security of the patients’ PHI. For email, this means determining the physical location of downloaded emails. If they are stored on a laptop or a desktop computer, who has access to the room these are in? Asking such questions will help ensure the physical protective measures to stay in place.

Technical safeguards may be obvious in HIPAA requirements for email but a complete approach to compliance will take care of physical and administrative safeguards as well to make HIPAA regulation cohesive. Healthcare providers can’t cherry pick from criteria because that will definitely lead to non-compliance.

Sending PHI Without Realizing It

Some healthcare providers try to comply with HIPAA by limiting email use to information that does not constitute PHI. This can work in theory but it can be quite hard to use in practice and fail badly.

According to HHS, HIPAA offers protection to individually identifiable health information including payment information, demographic data contact information, etc. depending on the context. Since the use of personal addresses makes an email “individually identifiable” , healthcare providers must be careful to ensure the message content does not rise to the level of health information at all.

If a healthcare provider runs a general practice clinic, HIPAA will allow sending a general email about flu vaccines to his entire patient panel and that would not be PHI since it is not addressing a specific person. If your practice specializes in cosmetic plastic surgery, you cannot even send a newsletter because it can be argued that sending it would automatically identify people as patients of your practice. That would be PHI.

When it comes to PHI the line is blurry and there is no black and white. According to HHS guidance, indicating that an individual was treated at a certain clinic can constitute as PHI. So healthcare providers may become comfortable in using email for non-PHI purposes but it can be hard to determine what those are.

Emailing Non-Patient

You may have a patient’s consent to email about PHI but that does not mean you can interact with anyone else like that including other healthcare providers. Communication with anybody other than the patient or their explicitly designated third-parties needs to be fully HIPAA compliant.

Since standard email is not compatible with many HIPAA regulations, healthcare providers should avoid it when they need to communicate PHI to anyone who is not the exclusive subject of that PHI.

What Are The Alternatives to Email?

Email can be used carefully in a HIPAA compliant manner but it’s not worth the risk. There are many modern-day communication solutions designed specifically for healthcare and are completely HIPAA compliant. Hucu is a Secure Messaging App that enables secure messages, offers access logging, team collaboration, messaging, video conferencing, and many other advanced features that are HIPAA compliant. Hucu believes that the world of healthcare communication is large and richer than a simple email. With Hucu, you can easily reach your medical communication goals and be HIPAA compliant. Sign up for Hucu here.

Looking for a better HIPAA compliant communication tool ?

Get Ready To Transform Your Organization For Value Based Care.

Subscribe to our monthly newsletter