HIPAA-compliant email is important for healthcare organizations to send and receive. It can protect PHI at rest, while in transit, and provide a backup should an audit or question arise.
To be HIPAA compliant, email containing PHI must be end-to-end encrypted. However, Gmail does not support this feature.
End-to-End Encryption
End-to-End Encryption is the best way to ensure email complies with HIPAA requirements. It encrypts both messages in transit and stored messages, and also uses access controls to make sure only the intended recipient can read those emails.
If you’re using email for business communications, your organization is a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). This means your organization is responsible for ensuring all electronic protected health information (ePHI) is properly encrypted to meet HIPAA compliance standards.
For many organizations, this means that they are using third party service providers to manage their email. These service providers are referred to as business associates and are required by HIPAA to implement physical, technical, and administrative safeguards to protect ePHI from unauthorized access and use.
Mimecast Secure Messaging satisfies this requirement by enabling organizations to automatically send emails that comply with HIPAA encryption requirements when they contain certain content or are sent to certain recipients or domains. Messages are securely uploaded to the Mimecast cloud, scanned for malware and viruses, and stored in a secure AES encrypted archive before being sent.
Access Controls
HIPAA compliance for email requires access controls to be enabled, based on the user’s job function. This is required to ensure that PHI is only accessed by individuals who need it to perform their job duties.
Keeping audit logs of user access also enables administrators to detect regular patterns that could indicate insider or external breaches of security. These types of monitoring processes can be complex, but they can help prevent breaches from occurring.
Encrypting emails to the standards stipulated by NIST is an effective safeguard against tampering, unauthorized access and interception of ePHI during transmission. This can make a big difference in preventing breaches of HIPAA compliance for email.
Business Associate Agreements
If your organization uses a third-party to create, maintain, receive or transmit PHI on your behalf, you need a Business Associate Agreement (BAA). These documents are mandatory under HIPAA to protect patient information and prevent data breaches.
A business associate is any individual or entity that stores, processes, transmits or maintains protected health information. It doesn’t matter whether they’re a vendor, subcontractor, or employee of a healthcare provider – they all need to be HIPAA compliant.
Depending on their activities, a covered entity’s business associates can include health plans, healthcare clearinghouses, healthcare providers who relay private healthcare info and researchers.
A BAA establishes permitted uses and disclosures of PHI, requires the business associate to follow reasonable security protocols, and details responsibilities for a violation. In the event of a breach, business associates are subject to penalties from the Department of Health and Human Services and other regulators. These penalties range from fines to corrective action plans and even jail time.
Training
Email is one of the most commonly used forms of communication among healthcare professionals. This means it’s important to ensure all email communications involving patient data are secure and compliant with HIPAA regulations.
Protected health information (PHI) is any information identifying a client or patient, including names, addresses, phone numbers, social security numbers, biometrics, and much more. It can also include digital files that don’t necessarily reveal a patient’s medical history, such as intake forms or health questionnaires.
The HITECH Act has spurred an increase in the number of healthcare providers who are using electronic systems to share patient data. While this increases access to patients’ data, it also puts more pressure on healthcare organizations to safeguard that information.
When choosing a HIPAA compliant email service, make sure to look for one that will provide you with a Business Associate Agreement (BAA). BAAs affirm the service’s willingness to accept responsibility for protecting your clients’ sensitive information and meet the ten standards of HIPAA compliance.
