Many Smart Training clients send Protected Health Information via email but are unsure how to make their email HIPAA compliant. To add to the challenge, many email service providers offer an encrypted email service, but not all are HIPAA compliant – and few actually incorporate the necessary safeguards to meet HIPAA requirements. Even services that encrypt messages in transit may not have the required level of security to make them HIPAA compliant.
Research potential HIPAA-compliant email service providers to ensure that they provide a service that is suitable for your requirements. A search on Google will produce several potential service providers. Enter into a HIPAA-compliant business associate agreement with your email provider.
Ensure that your provider offers end-to-end encryption, which encrypts both messages in transit as well as stored messages. Access controls are used to ensure only the intended recipient and the sender can access the messages.
If you use a third-party email provider, obtain a Business Associate Agreement prior to using the service for sending ePHI. The BAA should outline the responsibilities of the service provider and must establish that administrative, physical, and technical safeguards will be used to ensure the confidentiality, integrity, and availability of ePHI. If your email service provider is not prepared to enter into a business associate agreement, look elsewhere. Be aware that several providers, like Google, will not enter into BAAs for ‘free’ services.
Even when a BAA is obtained, it is possible to violate HIPAA. Simply using an email service that is covered by a BAA does not make your email HIPAA compliant. Once you have implemented a compliant email service, train your staff on the correct use of the service. Data breaches often occur as a result of errors made by healthcare staff, including the accidental sending of ePHI via unencrypted email and the sending of ePHI to individuals who are not authorized to view the information. Every staff member should be aware of their responsibilities under prevailing patient privacy laws.
More about encrypted email requirements next week.
Smart Training Compliance Services