3 min read
Safeguarding genetic data privacy with HIPAA compliant email
Caitlin Anthoney November 13, 2024
Genetic testing companies can use HIPAA compliant email for secure, transparent, and compliant communication practices.
Additionally, it allows these companies to better align with the Federal Trade Commission’s (FTC) standards, creating a safer environment for consumers who can explore the benefits of genetic testing without compromising their privacy.
Building trust in genetic testing
With genetic testing services booming, companies selling DNA-based insights must earn consumer trust through strict privacy and security practices.
As Elisa Jillson, an attorney with the FTC’s Division of Privacy & Identity Protection, explains, companies must protect consumer data privacy, particularly when it involves sensitive information like genetic data.
She notes that for consumers to feel safe using DNA-based services, "companies need to be able to trust their accuracy – and trust that the company’s practices related to the DNA of privacy (data minimization, purpose limitations, retention limits, etc.) will protect the privacy of their DNA."
Genetic data sensitivity
Jillson notes that, unlike other data types, genetic information often can't be fully anonymized. She adds, "Where the sensitivity of the data is high, so too is the risk of harm, particularly in this era of increasing biometric surveillance."
Therefore, this sensitivity requires heightened security measures, particularly when communicating about genetic data.
How HIPAA compliant emails can help
Minimize security risks
HIPAA compliant email solutions, like Paubox, offer advanced encryption methods, so only the intended recipients can access sensitive genetic data. These platforms also align with the FTC’s expectation for handling biometric information, reinforcing protections against data breaches and unauthorized disclosures.
More specifically, Jillson notes the FTC’s charges against Vitagene (now 1Health.io) for "subpar data security," which included failing to encrypt data and use access controls properly.
Using HIPAA compliant emails, however, provides multi-layered security features, including encryption and secure access protocols to meet these requirements.
Furthermore, these email systems help uphold "affirmative express consent," a legal standard emphasized in the CRI Genetics case, where companies must get clear, informed consent from users for data handling practices.
So, companies can communicate transparently with consumers, helping them make informed decisions about their data privacy rights.
Protecting customer accounts
In genetic testing, customer accounts can become gateways to personal health data, making them prime targets for cybercriminals. As an example, Jillson mentions the FTC's action against Ring, where the company faced criticism for failing to secure customer accounts from credential-stuffing attacks.
However, genetic companies who use HIPAA compliant emails with multi-factor authentication (MFA) increase their account security and limit customers’ data exposure with secure password recovery processes.
Transparency and truthful claims
The FTC has also flagged companies for misleading advertising, noting cases where genetic testing companies exaggerated their accuracy claims. Jillson reminds companies that if they lack "a reasonable basis to support [their] claim," they shouldn't make it.
HIPAA compliant emails can help companies maintain this transparency, as they can provide secure channels to share verified, science-backed information with consumers.
How to set up HIPAA compliant email for genetic data privacy
Choose a HIPAA compliant email solution
Paubox email offers built-in encryption, secure data storage, and MFA. Additionally, they sign a business associate agreement (BAA) obligating them to comply with HIPAA requirements, covering data protection and breach notification responsibilities.
Implement and monitor access controls
Control access to email accounts to limit who can view and handle sensitive information. HIPAA compliant email systems should include detailed access control settings, allowing administrators to define access levels for different users.
Companies can also set up track who accesses each account and log activity, providing an audit trail in case of a security incident.
Train employees on HIPAA compliance
Employees must know how to communicate securely and adhere to compliance standards. So, companies must conduct training sessions covering HIPAA requirements, secure email handling practices, and recognizing potential cyber threats.
Regularly update and audit security practices
Genetic companies must regularly perform vulnerability assessments, update software, and update their organization’s policies.
FAQs
What is HIPAA compliant email?
HIPAA compliant email solutions, like Paubox, are a secure email system that meets the privacy and security standards required outlined in the Health Insurance Portability and Accountability Act (HIPAA). It includes encryption, access controls, and other safeguards to protect sensitive health information.
Do genetic testing companies need HIPAA compliant email?
Yes, genetic testing companies handle highly sensitive data that reveals personal and familial information. HIPAA compliant email helps protect this data while allowing secure communication between the company and its clients.
How can companies make Google Workspace email HIPAA compliant?
Companies must use a Business or Enterprise plan, sign a business associate agreement (BAA) with Google, and use a HIPAA compliant platform, like Paubox, to protect patient information.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.