Many healthcare providers would love to include email communication into their regular workflows, but are concerned about securing patient information to comply with HIPAA requirements. One breach can mean huge fines that result in a loss of reputation or even the end of operations.
The good news for providers is sending HIPAA compliant email can be . It just requires planning and utilizing the right tools and processes.
The HIPAA Privacy Rule created, for the first time, a set of national standards for the safeguard of certain health information. HIPAA allows Covered Entities to disclose PHI to a Business Associate if they receive assurances that the Business Associate use the information only in the scope of which it was engaged by the Covered Entity. The HIPAA Security Rule was added to set out what safeguards must be in place to protect electronic protected health information ( ePHI), which is health information that is held or transferred in electronic form. In regards to email, this means that covered entities are required to take reasonable steps to protect PHI from their computer and as it’s transmitted electronically, all the way to the recipient’s inbox. Once the email reaches the recipient, the obligation of the sender ends and it becomes the recipient’s job to secure any PHI they have in their inbox. So the bottom line becomes you must protect emails with PHI on your server and while it's in transit to the recipient.
But you also need the right technology to be sure those procedures can be made as efficient as possible. This is especially important to overcome human error, such as forgetting to press a button or type a password to encrypt an email. Human error accounts for the vast majority of email related HIPAA breaches and violations. Along with policies, there are a couple technical factors to consider in making sure your email is HIPAA compliant. The first factor is your email server.
This is because consumer email platforms do not sign BAA and there is no guarantee that data stored on those consumer email servers are secure, even from the vendors themselves. Once you have a commercial email provider, if you only send email with PHI internally within your organization and it doesn't go beyond your server, then it is likely you're good to go and don't need anything further. This is provided your email server is behind a secure firewall. But what happens when email goes out.
As email moves from one server to another it is considered "in transit." It must be secured every step of the way until it reaches the recipient's inbox. This process is typically handled with email encryption. But normal email is not always secure. This is because normal email was created with the priority on delivering messages, not email security. Even if your email provider does secure email with TLS encryption, that doesn’t mean your message will be delivered securely. That’s because if the recipient’s email provider doesn’t support TLS, your message is downgraded and delivered unencrypted in clear text. Google’s own data shows that only 87% of email sent with Gmail is encrypted. For HIPAA, 87% isn’t good enough. Only 100% encryption is acceptable. That's where having a third-party secure your email in transit becomes helpful.
Paubox helps insure that 100% of the emails you send are secure in transit all the way to your recipient's inbox. It's a seamless and stress-free experience. Unlike other providers, Paubox makes HIPAA compliant email behave like regular email for both senders and recipients. Paubox’s Encrypted Email allows users to write and send emails as normal from a laptop, desktop and mobile devices. Your recipients will be able to view messages and attachments without needing to enter extra passwords, download an app, or login to a portal. This greatly reduces the risk of accidentally sending PHI over email. It is a giant burden to have staff make a decision on whether to encrypt an email. It can be easy to forget to press an encrypt button or type a keyword before sending an email. Sometimes a use may not realize certain information is PHI as well.