4 minute read
What’s Really Required of HIPAA Compliant Email?
Robert McDermott
Even though most of us understand the importance of HIPAA regulations, it doesn’t change the fact that compliance has been a hurdle at best and a hindrance at worst, particularly when it comes to emailing protected health information (PHI). Finding the right tool that allows you to leverage modern technology and stay HIPAA-compliant will improve communication and efficiency while keeping your patient data protected.
WHY HIPAA-COMPLIANT EMAIL IS IMPORTANT FOR PATIENTS AND PROVIDERS
Leaked healthcare data has the potential to be devastating for patients and providers alike. PHI is one of the bigger targets for cybercriminals, as that compromised information can then be used, or sold, to expose information or steal an individual’s identity. Not only is data its most vulnerable when in transit, but email itself is risky. In fact, 91% of all cyberattacks begin with an email, making it one of the riskiest, but most invaluable, tools in your practice.
While the financial impact on an individual with a stolen identity can be significant, costing individuals $6.1 billion in 2021, the cost to the businesses and organizations responsible for the leak is even more significant. In fact, according to an IBM Security report, the cost for healthcare organizations who suffered a data breach “increased by $1 million from March 2021 to March 2022 to hit $10.1 million. That’s up more than 40% since the 2020 report.”
WHAT DOES HIPAA-COMPLIANT EMAIL REQUIRE?
There’s really no simple answer or single factor that makes email HIPAA-compliant. Instead, it requires the assurance of both security and privacy when it comes to protected health information (PHI) and electronic health records (EHR) sent via electronic mail. There are a few key things to understand when it comes to HIPAA-compliant emails.
They are:
• Emails with PHI should not be sent unless encrypted. You can encrypt either the body of the email or attachments, depending on where PHI is stored. Patient-initiated emails do not share this same requirement, nor do emails shared within a healthcare organization.
• PHI should absolutely never be sent through a personal email.
• Internet-based email providers like Yahoo, AOL, Hotmail and more are not inherently HIPAAcompliant.
• Business associate agreements (BAA) only cover data held on a server by the business associate. Your organization is still responsible for the rest of the journey (which is risky). That’s why end-to-end encryption is best.
And those are just the basics. HIPAA compliance also requires:
• Access Control. Restrict access to PHI to only authorized people.
• Audit Control. Keep and monitor an auditable trail of email history and transmissions.
• Integrity Controls. Implement policies to ensure ePHI is not improperly destroyed or altered.
• Transmission Security. Implement technical security measures, such as encryption or an equivalent, to prevent unauthorized access when electronically sending ePHI.
• Authentication. Implement procedures to verify that a person or entity seeking access to electronic-protected health information is who they claim to be.
The bottom line is that your organization is responsible for protecting any PHI sent via email and that means making the safest and smartest choice to ensure that security. But, it’s also important to know that not all HIPAA-compliant email platforms are the same, or as safe.
THE RIGHT HIPAA-COMPLIANT EMAIL IMPROVES PATIENT CARE AND COMPLIANCE
HIPAA regulations are pretty clear that what you need goes beyond encryption. The right encrypted, HIPAA-compliant email solution:
• Is cloud-based with multiple secure servers so your data is always safe and you can access it from anywhere.
• Blocks unsolicited, non-provider senders from your inbox. Essentially, you must initiate any email conversation with a third party.
• Won’t limit the type, number or size of files you can attach.
• Should include a pre-vetted referral network.
The right HIPAA email solution doesn’t just provide security and compliance, it also enhances the way you work. Imagine data security, peace of mind, enhanced communication, protected inboxes and a built-in referral network—all in one solution. Turn HIPAA compliance from an obstacle to an opportunity to improve your business. z
Mr. McDermott is president and CEO of iCore Connect. NYSDA endorses iCoreExchange encrypted HIPAA email from iCoreConnect. iCoreExchange provides cloud-based, compliant email, along with a built-in referral network and unlimited attachments. Book your free demo and access significant member discounts at iCoreConnect.com/NY5.
