HIPAA-covered entities are responsible for making sure that the transmission of protected health information by email is secured. The entity may choose any HIPAA compliant email provider as long as appropriate controls guarantee PHI confidentiality, integrity and availability.
A HIPAA compliant email provider must offer end-to-end encryption of messages. It doesn’t matter if the software is hosted on your own systems or the provider takes care of everything. If you need to change email provider, it’s not mandatory to change your email address. Some services let you keep your current email address so you can send messages as you used to.
Here are the safeguards required by the HIPAA Security Rule to be considered as a HIPAA compliant email provider:
1. Access controls – 164.312(a)(1)
2. Audit controls – 164.312(b)
3. Integrity controls – 164.312(c)(1)
4. Authentication – 164.312 (d)
5. Secured PHI in transit – 164.312(e)(1)
In addition to the above requirements, the covered entity must also sign a business associate agreement with the email service provider. Without this BAA, the covered entity cannot use the email service.
The email service provider’s responsibility is to incorporate all the required safeguards. The covered entity’s responsibility is to configure the email settings correctly, to train the staff regarding the proper use of email, including its allowable uses and PHI disclosures. The covered entity should also consider the technologies necessary to lower the risk of email-based attacks like phishing. Certain email providers already come with features like inbound message scanning and spam, malware or phishing email blocking.
Many healthcare organizations ask if email encryption is mandatory. Encryption is not mandatory but covered entities must assess their organization’s need for encryption. If messages are sent internally using a secure email server located behind a firewall, there’s no need for encryption. Encryption is also not needed when sending emails to patients who gave their consent to receive messages via email. If messages are sent outside the protection of a firewall, such as when sending payment claims or referring patients to other healthcare organizations, encryption is necessary.
Here is a list of HIPAA compliant email providers that are also willing to sign a business associate agreement. It is not an exhaustive list but it will get you started when looking for a suitable email service provider.
· Hushmail for Healthcare
· VM Racks
· Apsida Mail
· Protected Trust
· Delivery Trust from Identillect Technologie
· MD OfficeMail
Don’t neglect the importance of using HIPAA compliant email service providers. The Department of Health and Human Services issued fines to violators. Phoenix Cardiac Surgery, for example, paid $100,000 for not using a secure web-based email.