Email is a convenient way for dentists to send appointment reminders, billing updates, marketing newsletters, and more relevant information to patients. However, failing to properly secure these emails ultimately puts patients’ privacy at risk.
Dentists are considered covered entities under HIPAA if they engage in electronic transactions that pertain to payment for healthcare services.
Examples include:
In these cases, dentists are required to comply with the HIPAA Security Rule. This rule does not prohibit covered entities from sending emails with protected health information (PHI), but they must put certain safeguards in place.
These need to “restrict access to PHI, monitor how PHI is communicated, ensure the integrity of PHI at rest, ensure 100% message accountability, and protect PHI from unauthorized access during transit.”
Therefore, dentists must conduct a risk analysis to pinpoint potential email vulnerabilities and implement protocols to address them.
Some smart security practices are enabling two-factor authentication, establishing strong password policies, and configuring firewalls that limit email access to authorized staff only.
Dentists must also comply with the HIPAA Privacy Rule, which involves taking steps to protect the privacy of PHI.
Ways to accomplish this include providing privacy practice notices to patients and limiting the use and disclosure of PHI to the minimum necessary.
In addition, create and enforce policies on which employees have permission to access PHI and when it is okay to send it. Ensure that all staff members know to obtain patients’ consent before receiving PHI via email.
Under the Privacy Rule, dentists qualifying as covered entities must provide employees with HIPAA compliance training.
And with human error serving as the leading cause of email-related HIPAA breaches, it is especially crucial to educate staff on how to recognize the warning signs of malicious emails.
Phishing emails and display name spoofing attacks are common approaches cybercriminals use to trick employees into sharing sensitive information.
Setting up simulated phishing attacks is a great way to put employee knowledge to the test and determine where further training is needed.
It is also a good idea to regularly reinforce best practices for email, such as double checking sender names and never clicking unexpected links or attachments.
Implementing email security policies and conducting employee training can help protect patients’ sensitive information. Still, dentists need to cover all their bases with HIPAA compliant email.
Under HIPAA, PHI must be safeguarded “at rest.” So if your dental practice uses a third-party email provider, you must obtain a business associate agreement (BAA). This document breaks down the responsibilities of the service provider in safeguarding PHI.
Many popular email platforms like Gmail and Yahoo do not sign a BAA, which means it is not guaranteed that stored information is protected.
HIPAA also requires data to be protected in transit, when email moves from one server to another.
However, standard email is not always secure every step of the way. In fact, Google’s own data states that only 87% of email sent with Gmail is encrypted. To comply with HIPAA standards, 100% encryption is necessary.
Therefore, safest approach for dentists is to use a third-party HIPAA compliant email provider that offers default encryption.