When it comes to the transition of the sensitive information, medical data should be treated especially seriously. In the U.S., this is a matter not only of ethics but also of legal responsibility. In this post, we will discuss HIPAA requirements. In particular, we will explain how to check if they apply to you and what you need to do to keep your emails secure if your response is positive.
What is HIPAA and does it apply to you?
The Health Insurance Portability and Accountability Act of 1996 was passed by the U.S Congress to handle the health insurance and protect patients’ personal data. Among other important regulations, HIPAA establishes security rules for the transmission of electronic information ( Electronic Protected Health Information, or ePHI). These rules apply to the online data that could expose patients’ personal information, healthcare services, medical history, and even related payment details.
How to check whether your activities (namely, emails you or your service sends) are subject to HIPAA? Answer the questions below:
- Can your organization be referred to as a healthcare clearinghouse?
- Do you deal with health plans as a health insurance company, a health maintenance organization, a government program paying for healthcare, or any related entity?
- Do you act as an endorsed sponsor of the Medicare prescription drug discount card?
- Do you provide third-party services to any of the above-listed entities?
If you answered “YES” to any of these four questions, then you should be considered an HIPAA compliant entity, and all data related to patients’ names, addresses, diagnoses, prescriptions, payments, or refunds must be properly protected. It means that you can’t send an invoice or results of medical tests, or prescriptions details via your regular email client or messenger without additional precautions. This applies to the personal information of the employees of the listed organizations as well. In this way, sensitive information can be accessed by a third-party as a result of the mailing attack, laptop loss, or a simple human mistake. This will be treated as a HIPAA violation and will lead to a penalty.
Penalties for HIPAA Email Violations
Penalties are per violation per year | From | To |
Could not have avoided with reasonable care | $100 | $50,000 |
HIPAA email violation despite reasonable care | $1,000 | $50,000 |
Willful Neglect – Corrected within reasonable time | $10,000 | $50,000 |
Willful Neglect – Not corrected | $50,000 | $1,500,000 |
Source: HIPAA Journal
Also, note that there is a criminal penalty for intentionally committed offenses.
Does it sound serious enough? It does, but before we move forward, let’s check what is not subject to HIPAA:
- A patient gave you written consent to communicate via non-secure, non-encrypted channels. However, it is better to transmit data securely – just to stay on the safe side.
- As a patient, you send an email to your doctor. According to HIPAA, the one who started the data transmission is considered the liable party. Be careful: if you as a doctor reply to the patient’s email, it becomes subject to HIPAA compliance.
- Your email communications don’t contain personal information. If you are sending the results of medical research or statistic to a hospital, for instance, they are not subject to HIPAA.
- No HIPAA entity is involved in the data transmission process. For example, you develop an application that allows users to schedule their visits to doctors and creates reminders for taking medicine or alerts when their plan is up to expire. The email notifications from such an app won’t be subject to HIPAA as well.
As a rule of thumb, it is better to protect the information that is not HIPAA compliant information than to miss something and send HIPAA covered data in an insecure way.
HIPAA requirements
The most complicated thing about HIPAA compliance is that the requirements are broad but still vague. Another difficulty encompasses the unavailability of the official compliance certification.
After all, as a HIPAA covered entity, you have to follow technical, physical, and administrative safeguards to ensure proper ePHI protection.
Technical safeguards relate to technology methods to protect ePHI and data access.
Their only provision is that all confidential information transferred outside the internal firewalled servers must be encrypted according to the standards approved by the U.S. National Institute of Standards and Technology (NIST). We will discuss the email encryption in a separate section of this article.
In the rest, you have to ensure the following, in any appropriate method:
- ePHI access control
- ePHI authentication mechanism
- encryption and decryption tools
- audit controls and activity logs
- automated logout for any device
Physical safeguards concern the data storage and include physical access to data on servers (both local and cloud) and devices.
Administrative safeguards focus on the implementation of technical and physical protection.
For more details, we recommend following the HIPAA Journal and the U.S. Department of Health & Human Services website.
How to encrypt emails for HIPAA compliance?
We have already mentioned that according to the HIPAA requirements, emails must be encrypted to NIST standards. It means that messages need to be both encrypted and decrypted to ensure security while sending, transferring, receiving, and storing information.
AES encryption is one of the recommended algorithms. It is implemented in TLS as well, but note that simple TLS encryption is not enough: mostly, email services use opportunistic TLS. This is enough for sending encrypted information but if the recipients’ server doesn’t support TLS, the message arrives without encryption.
So, how can you implement the required encryption for your email messages?
Set up your own infrastructure
This method fits large corporate organizations that have resources for setup and maintenance of their own secure hosting and email infrastructure. This is a complicated and highly tech savvy task. If you are not absolutely sure that you are able to ensure the required level of security, it is better to use a third-party service.
Don’t send confidential information via email
It sounds weird but in fact, you can keep all the ePHI on the dedicated patient portal, which is HIPAA compliant, and send a link to the appropriate notification via email. You should consider this option if you already use (or plan to use) a patient portal software. Such platforms offer all-in-one service for scheduling, payments, messaging, and more. Some of the popular systems are Athenahealth, Epic, Cerner, NextGen Office, etc.
Use an encrypted email service
This is the most popular option and you have a broad selection of HIPAA compliant email sending providers. Some of them offer standalone services and other – plugins for your preferred email clients. We will do a brief overview of the most popular options in a separate section.
Patient safety and confidentiality are top priorities for services provided by the server. As a healthcare provider, a HIPAA compliance security checklist is a must. If you have a medical website built with WordPress, you are probably wondering if it should (and can) be compatible with HIPAA.
Whichever method you choose, keep in mind the following rules:
- Train your staff to make sure they are aware of HIPAA regulations and properly use your software to transfer ePHI data. The majority of HIPAA violations happen due to human errors. Ideally, everyone who has access to PHI must sign the HIPAA awareness agreement to acknowledge their responsibility for violations.
- If you use a third-party provider for email sending or hosting, whatever, sign a business associate agreement. Such an agreement defines the methods that your provider uses to fulfill the HIPAA requirements as well as defines the responsibility for compliance.
- Make sure that all related online communications and archived, stored, and available for legal purposes. In case a data breach occurs, they may serve as proof of the reasonable care taken to comply with HIPAA.
HIPAA compliant email providers
The most popular solution is to entrust the transmission of sensitive data to a HIPAA compliant email service provider. In this section, we will answer the frequent questions like which email providers can be considered HIPAA compliant and whether it is possible to keep sending emails via your preferred service.
The main idea of using the proper email service is to ensure that only the authorized sender and recipient are able to access the content of the message.
The HIPAA Journal lists 10+ compliant email providers. Let’s review several services and methods they use to ensure the security of your communications.
Hushmail for Healthcare
Hushmail provides you with an email account, which is available as a web service or an iPhone app. If your recipients don’t use Hushmail, they will get emails protected with a password or a security question.
Hushmail’s interface is similar to most popular email clients. You need to tick an encryption checkbox manually when sending a message to a non-Hushmail account, which entails a risk of sending unsecured emails.
For developers, they provide access to their API so that the service can be customized and used for sending automated email notifications.
Pricing starts at $9.99 per month per user. Also, there is a special price for non-profit organizations.
NeoCertified
NeoCertified is another service that offers a secure web portal. In addition, they provide seamless integration with Gmail and Outlook by adding a button, as well as iPhone and Android apps.
NeoCertified bills you annually, starting at $99 per user, with a special price for non-profits as well.
You can also integrate NeoCertified API with your own software with its SDK.
Paubox
Paubox is a comprehensive system for sending HIPAA compliant emails. They offer seamless integration with commercial platforms like Office 365, G Suite, Salesforce, etc. It doesn’t require the installation of an extra application, either for the sender or the recipient.
You can integrate Paubox with your own application with API or using its SMTP relay. Email Data Loss Prevention (DLP) and Email Archiving are offered as additional solutions.
The cost of the minimum subscription is $30 per month for three users. The price of using API and SMTP relay depends on the number of messages you send monthly and starts at $100 for 10,000 emails.
Virtru
Virtru provides data encryption tools for enterprise applications. Sending HIPAA compliant emails is one of them. It can be integrated with Gmail, Google Drive, and Microsoft Outlook. Email protection can be switched on and off manually.
To decrypt your message sent with Virtru, your recipients will need to verify themselves with a password or an email confirmation.
For bigger needs, SDK is available as well. Virtru pricing is custom.
LuxSci
LuxSci is also a platform and a set of tools for secure email, high volume sending, email archival, and smart hosting. You can send messages via an SMTP TLS. In this case, recipients don’t need to authenticate to read your message. However, such an email will be encrypted during transmission only. Another option is a secure portal, which can be accessed via a free account or answering a security question.
Starting monthly price is $50 at $1-10 per user, as users come in multiples of five.
Other options
Mostly, HIPAA compliant email sending is offered as a part of the secure portal, in some cases – SMTP relay. The services may be quite expensive. But any HIPAA compliant email sending provider you choose, they will sign a business associate agreement (BAA) with you, which is an obligatory requirement. And what about our usual email clients like Gmail, Outlook, Mailchimp? Some of the above listed tools add plugins for popular services, does it mean that they are not HIPAA compliant?
Gmail and Outlook can’t be HIPAA compliant. They are free and not designed for business use. It means that you can’t sign a BAA with any of them. However, their paid versions – G Suite and Office 365 – can be used for sending ePHI securely. Check their policies, sign BAA, and set up the right configuration, before you can move forward.
GoDaddy is not HIPAA compliant on its own, but provides email encryption and archiving for GoDaddy Office 365 customers.
Most email marketing platforms can’t ensure HIPAA compliance. For example, Mailchimp states in its Terms of Use that this is customer’s responsibility to determine if their service can be used for proper transmission of the confidential information. In addition, Mailchimp won’t be able to sign a BAA with you.
Amazon AWS is one of the less advertised options for medical needs. Still, you can use it for hosting your application and sending email communications via Amazon SES, since they are both HIPAA compliant.
Summarizing HIPAA and emails
All confidential information in healthcare (and other industries as well) must be properly protected and accessed by the addressed parties only. You need to be very cautious when choosing methods and services for transferring ePHI. Follow these simple rules:
- Use secure hosting for your application and make sure all emails you send are encrypted to NIST standards.
- Sign BAA with every third-party service you use.
- Train your staff and follow updates in HIPAA rules regularly.