Do you know the rules for sending secure email with PHI?
How to send a secure HIPAA compliant email
Email is convenient, especially in healthcare environments. However, keeping email secure poses challenges. Learn how to send a secure, HIPAA compliant email with this quick guide.
The other option is to use patient portals. While they can be secure, they provide an inadequate patient experience and result in more work for providers. As a matter of fact, 90% of providers provide portals, but only one-third of patients use them.
For physicians, the low uptake of the portal is a reality:
Let’s put it this way, I saw a patient with a resident earlier last week, and he said that they have an active portal account, and I was surprised. That’s how infrequently I see people that have it.” An administrator in a different county described her experience with a prior attempt to launch a patient portal: “even with our effort, there was nobody who used it after we had about 100 sign up.
-Quote from “Primary Care Providers’ Views of Patient Portals: Interview Study of Perceived Benefits and Consequences” in the Journal of Medical Internet Research
What does HHS say about sending HIPAA compliant email?
The HIPAA Security Rule does not prohibit sending ePHI by email. United States Department of Health and Human Services (HHS) states that you can send electronic protected health information (ePHI) via email, but you must do so securely. Covered entities must implement policies and procedures to restrict access, safeguard the integrity, and guard against unauthorized access to ePHI according to HIPAA standards for access control, integrity, and transmission security.
Understanding the challenge of HIPAA email security
There are a few links on an email chain to secure. An email is written on the sender’s email server and then sent to the recipient’s server. The email data is “at rest” when it’s on the email servers and “in transit” as it’s passing from one server to the other.
When an email is sent from one machine to another, it travels via the internet. And, as it travels, it is susceptible to cybercriminals trying to steal information.
How is email sent securely?
ePHI must remain secure at rest and in transit per HIPAA. To protect ePHI in an email, ensure your email provider supports encryption and is protected with user accounts and passwords. You must encrypt emails sent over non-secure networks such as the internet. Security concerns prevent some health care professionals from using certain email systems.
It is important to distinguish between an email platform that is HIPAA compliant and one that is HIPAA capable. Even though most popular email providers offer email encryption, they often are not HIPAA compliant. Many are capable, but they are not compliant until you enable certain features on the platform and you sign a business associate agreement (BAA) with the company.
Google and Microsoft HIPAA compliance and security
Take Gmail, for example; 87% of sent emails are encrypted, but HIPAA requires 100% encryption for emails containing ePHI. Thirteen percent unencrypted email is unacceptable. It is too big of an opening for hackers to access patient emails while in transit. Although Google and Microsoft are HIPAA capable, it’s best to use an additional encryption program that guarantees encryption on 100% of the emails you send.
Are third-party email security providers HIPAA compliant and secure?
The safest and least cumbersome option is for covered entities to work with a third-party HIPAA compliant email provider to ensure that all HIPAA email has end-to-end encryption. End-to-end encryption guarantees that only the sender and recipient read the email, keeping the ePHI private as it travels between inboxes.
Third-party email security providers must sign a BAA with you. It is the covered entity’s responsibility to ensure the business associate does its part under HIPAA Omnibus rules. Both parties can be liable for fines if found in violation of HIPAA. The BAA typically only covers the business associate’s server, while the covered entity is responsible for the ePHI at rest on its server and while the email is in transit.
Email encryption and security
HIPAA encryption requirements are specified by two main terms, “required” and “addressable.”
Those labeled “required” must be put in place or it’s considered a failure to comply with HIPAA. Those that are called “addressable” only have to be implemented after a risk assessment has determined that encryption is needed for managing risks to PHI.
If your organization determines that email encryption is not appropriate, then you must document your reasoning behind that decision and implement an equivalent solution to safeguard PHI.
However, since there is no appropriate alternative for protecting PHI other than encryption, it’s effectively required. Not using encryption is risky for your patient’s information and your organization.
Does the recipient’s email client need to be secure?
As a healthcare provider, it is difficult to control whether your patients use secure email clients. Below is the regulation on patient email clients.
US Department of Health and Human Services, Omnibus Final Rule, 2013
“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”
As long as you use a secure email service, you are not responsible for what happens on the other side as long as you are following HIPAA regulations. Here are a few things to keep in mind:
- A secure, alternative method must be available for the patient to receive the information.
- Advise patients that their email clients might not be secure. If they say they still want the information, it’s okay to send it. You can also use a HIPAA compliant email provider that guarantees all HIPAA emails you send will be compliant, even if the patient doesn’t support encryption.
- Be sure to document these conversations for your own safety.
How to secure different types of HIPAA compliant emails
Internal email security with PHI
Emails in a closed and secure network don’t require encryption. However, if you use remote workers, they must follow typical encryption rules. A third-party vendor to secure remote staff’s HIPAA email is required. Solutions that secure all email sent are advisable as it removes the chance of accidentally sending PHI.
Provider-to-provider email security with PHI
There is no need to encrypt email sent in your closed email network. However, if providers contact other providers outside of your organization, they must follow typical HIPAA encryption rules. Therefore, solutions that secure all email sent are advisable as it removes the chance of accidentally sending unencrypted PHI.
Personal email security when sent from work
Occasionally, providers work at home and need to send case information and PHI back to their work email. HIPAA email sent from a personal email account to a work account can be a HIPAA violation unless the provider uses a HIPAA compliant email service.
Security of mass emails using BCC
Using BCC to send mass emails is never a good idea. HIPAA compliant options are available to send secure email to individual inboxes. Currently, this is the only option to send a secure bulk email or marketing-type email. However, choose your mass email provider wisely. Most email marketing platforms are not HIPAA compliant or secure. As a matter of fact, the popular MailChimp announced a devastating data breach in April.
Securing reply emails
According to HIPAA, the party initiating the transmission is liable for its security. If the sender is not a covered entity or business associate, they cannot violate HIPAA. However, replying covered entities or business associates are responsible for protecting PHI. Once you reply, you are again responsible for the security of the transmission.
Secure patient emails
What safeguards do you use to protect patient emails? The best practice is to ensure your patients’ email security by using a third-party email security provider that keeps PHI HIPAA compliant.
How to send a secure HIPAA compliant email
Secure cloud-based email servers
One option is to use a secure cloud-based email platform with a HIPAA compliant server. When you connect via HTTPS, you have an encrypted connection. You must sign a BAA with the provider before you send HIPAA email.
Password email security and 2-factor authentication
Secure your email account with a strong password or passphrase, and enable multi-factor authentication if available.
Email services that encrypt healthcare email make sure you remain HIPAA compliant. If the recipient has an email provider that does not support encryption, the email will not be delivered in plain text. Instead, they will be notified about the the message and they can then connect securely to the server to view the message. For patients whose email clients do support encryption, they will receive the HIPAA email directly in the inbox. Using a provider to ensure HIPAA email stays secure and encrypted makes information more accessible for patients and creates better outcomes and experiences.
Secure message portals
EMR/EHR systems with a patient portal can store information. The recipient is notified of a message on the portal via email, where they can log in and securely view it. However, portals are not popular with patients. Only a third of people with access to portals use them. Portals negatively impact patient outcomes, patient satisfaction, and provider workload by creating a challenging communication flow.
A disclaimer or confidentiality notice is not a license to send PHI-filled, unencrypted HIPAA emails. You must keep in mind that disclaimers will not relieve you of your responsibility to send ePHI securely.
Would you like more information on secure HIPAA compliant email?
Contact the experts at Paubox to help with your secure HIPAA compliant email needs. Paubox solutions put the power and ease of email back into that hands of healthcare for better patient and provider experiences.