Email is everywhere but HIPAA imposed regulations that make it difficult to use this technology for healthcare without exposing your practice to some possible penalties if you’re not careful. Infractions are very subtle and your practice can be at risk even if you think you’re in safe waters. There is a lot of information out there which talks about the nitty-gritty of using email under HIPAA. Since HIPAA is very detailed, there are some surprising ways your current use of email might be violating HIPAA without you realizing it.
Seven ways your email might be violating HIPAA.
Not Having Consent from Patient
Explicit guidance has been offered by the U.S. Department of Health and Human Services (HHS) addressing how patients and healthcare providers can use unencrypted email for sharing protected health information (PHI) only if the patient is well aware of the security risks involved and still prefers email as a mode of communication over other available options. However, the flip side of this guidance is that failing to meet any part of its criteria will result in an immediate HIPAA violation. You can avoid this by asking yourself the following questions before emailing your patient:
- Is this patient aware of the email security risks?
- Have I discussed other more secure methods of communication?
- Has the patient given a preference or consent for email?
- Have I documented the consent to use email even though other secure communication methods are available?
Patient preference is a powerful tool for HIPAA compliance but its absence can turn into a powerful liability. It is easy to skip this compliance step but it is important to keep a strict check on it.
Want to avoid HIPAA violations?
Not Having a Business Associate Agreement
BAAs are vital legal documents that are required by HIPAA and help ensure that your business partners will treat your patients’ PHI with HIPAA compliance just as you do. In the case of email, your email providers should have systems in place like modern encryption in order to protect your data. A properly drafted BAA documents these assurances.
Even if your patient has consented to use an insecure email, you still need to have a BAA. Skipping it with your email provider will put you in a direct violation of HIPAA. Your patient may have agreed to the technical limitations of email but that does not mean you have a free pass to ignore major HIPAA requirements like the administrative and legal safeguards which only a proper BAA would give you.
Having a BAA But It’s Not Covering What You Believe It Does
Not Thinking About Technical Safeguards
HIPAA has highlighted technical safeguards in its regulations. These technical safeguards have to be present for systems that interact with electronic PHI. Not all of these security measures are indeed required under the law, but standard email fails to meet even the most lenient version of interpretation of this criterion.
Email technology has progressed over the last few years and there are lots of measures which can be taken to ensure your email is secure. Even with your patients’ consent to use insecure email, there is an argument that the healthcare provider still needs to do his best to minimize security risk. Not doing so can result in HIPAA violations.
Only Thinking About Technical Safeguards
It is great if you are ahead of the game on email security and have sorted out technical safeguards. Maybe you know all about TLS, DKIM, DMARC, and SPF among other internet security acronyms, and have systems in place for the end-to-end encrypted email system. However, you could still be violating HIPAA with your email. How?