Is Email HIPAA Compliant?

Although it's possible to take steps that make e-mail more secure, there are always some risks involved. Even encrypted e-mails might not always pass muster.

Email logo with lockTechnically, e-mail can be HIPAA compliant, but it's inherently risky. Even encrypted e-mails might not always pass muster. If your organization plans to use e-mail to send protected health information (PHI), it's important to consider the risks very carefully.

If you work for a health care provider, insurance company, or other covered entity subject to HIPAA then you're probably familiar with that law's Privacy Rule, which stipulates that an individual's protected health information may not be disclosed to third parties, except to the extent that such parties are involved in that person's medical treatment, payments, or other related operations.

Penalties for organizations that violate the HIPAA Privacy Rule can be steep, with the highest fines topping $5 million. Although the Office of Civil Rights (OCR) does distinguish between willful negligence and a simple lack of knowledge, they will still levy fines in both cases. In other words, ignorance is no excuse for failing to protect patient information.

What's Needed to Make E-mail HIPAA Compliant?

HIPAA stipulates that electronic PHI, — also known as ePHI, — must be encrypted when it is “at rest” as well as “in transit”. In other words, ePHI data stored on a local computer should be encrypted on that computer, — but the information must also be safeguarded when it is being transmitted to an authorized third party.

There are a number of e-mail providers that offer encryption, but they're not all necessarily HIPAA compliant. Many health care providers have asked us whether Gmail's new “confidential mode” is HIPAA compliant. The short answer is “no.” In order to comply with HIPAA, an e-mail service must implement specific safeguards as set forth in HIPAA's Privacy and Security Rules.

To complicate things further, those guidelines have changed over the course of time. Services that used the Data Encryption Standard (DES) were once acceptable, for example. Today, that technology is no longer sufficient. Instead it's recommended that covered entities use AES 128, 192, or 256-bit encryption.

Even if you have the right encryption technology in place, human error can easily lead to an unintended disclosure of PHI via e-mail. For example, some e-mail providers require that a user must “turn on” encryption for each e-mail before sending. If a user forgets to do that, even once, it results in a HIPAA violation.

Here's an even more common scenario: An employee can easily send an e-mail to the wrong address by mistake. We're all familiar with those situations where someone inadvertently types in the wrong e-mail address and hits the “Send” button before double checking that information. This simple mistake can lead to an unauthorized disclosure of ePHI. Employee training is therefore critically important.

Is it Safer to Just Avoid Using E-mail for ePHI?

Unfortunately, it's simply not possible to completely eliminate human error from the process of sending e-mails that contain ePHI. That's why so many organizations look to more secure methods for sending and receiving patient information.

For most, HIPAA compliant Secure Cloud Fax is the preferred option. Fax is well established as a highly secure mode for transmitting information, — but it's important to find the right service provider. Not all fax services are HIPAA compliant, and not all fax providers will sign a custom Business Associate Agreement (BAA), which is essential for organizations that want to remain fully compliant with HIPAA.

HIPAA compliant Healthcare Fax from WestFax meets the highest standards for security in the industry. We offer high-level encryption, and our fax servers are hosted in data centers with 24x7 security, video surveillance, and secure access control.

We also make fax easy to use. Users can send and receive faxes from a desktop or laptop computer, a mobile device, a multi-function printer/copier/fax machine, or even a mobile device. WestFax also offers a Fax API that makes it easy to embed fax capabilities into your software.

If you're looking for the most secure way to send and receive PHI while still remaining in the good graces of HIPAA and OCR, WestFax can help. We offer expert advice and can tailor a HIPAA compliant healthcare fax solution to meet your unique needs.Contact us today.

Discover more