ADVERTISEMENT
Protecting Patient Information in Email Communications Requires Diligent Approach
Leading mental health professionals will tell you that good communication with your patients is fundamental to positive outcomes. But with an increasing mix of digital devices and technology used today, the roadmap for protecting patient privacy can easily get off track. This means email, the most commonly used tool, could be strengthening your therapist-patient relationships, while also putting patients’ privacy and your organization at risk for non-compliance.
Back in 1996, the Health Insurance Portability and Accountability Act (HIPAA) became the standard for defining protected health information (PHI) and ensuring patient data privacy. As technology use quickly evolved, new guidelines followed, with the HIPAA Privacy Rule (2000) and ensuing Security Rule (2003) mandating new national safeguards and strict requirements for electronic PHI (ePHI). With these rules, the responsibility falls squarely on healthcare practitioners to understand and take proper steps to meet HIPAA regulations, including the secure use of day-to-day email messaging.
What is HIPAA-compliant email?
In a recent survey of mental health practitioners conducted by Paubox, email was cited as the number one tool for communicating with patients. It is critical for therapists to understand how to achieve HIPAA compliance, as well as the potential risks involved in not doing so. When using email, healthcare professionals must take reasonable steps to protect all health information that is held or transferred in electronic form, all the way from transmission to the recipient’s inbox. Once the email is received, the recipient is responsible for securing any included PHI.
Many practices use third-party email services to transmit or host their ePHI, which is identifiable patient information stored and shared electronically. This approach offloads some of the burden, but those third-party email vendors are still required to sign a business associate agreement (BAA) to specify certain administrative, physical, and technical safeguards are put in place to protect patient data.
Because there is no formal certification for email providers to prove HIPAA compliance, the best measurement is to make sure your vendor meets all requirements set by the HIPAA Privacy and Security Rules and has strong technical security to thoroughly protect ePHI from inbox to inbox.
What HIPAA Requires for Email Encryption
When an email is encrypted, its contents cannot be intercepted by hackers and read in plain text. That’s why encryption is such a valuable ally in securing patient data. The HIPAA regulations related to email encryption fall into 2 camps: required and addressable. When the encryption protocol is labeled required, it must be adhered to for compliance. Addressable encryption protocols are only necessary if there is a risk assessment that calls for its use to safeguard ePHI. However, when using email, there is really no alternative for effectively protecting patient data other than encryption—so it has effectively become required. Without encryption, your organization and your patients’ privacy will be at risk. According to data from the Department of Health and Human Services (HHS), email accounted for 29% of all HIPAA breaches in 2021.
How to Make Your Email HIPAA Compliant
For HIPAA compliance, any email you send that contains ePHI must be encrypted. Make sure your staff is fully trained in HIPAA rules and seek out ways to take advantage of technology offerings to help facilitate the easy and secure use of email communications. Many email encryption solutions require individuals to press a button or type a password to encrypt a message, and these extra steps can sometimes lead to human error and a potential HIPAA violation.
Most popular email providers, including Google and Yahoo, are not HIPAA compliant and lack the security of encrypting every message. Even with the TLS encryption used by some email providers, your recipient’s email inbox may not support the proper encryption protocols, in which case the message will be delivered unencrypted. Google research data on its email system reveals only 80-90% of email sent with Gmail is delivered encrypted. For HIPAA, that is not sufficient, and 100% is required for full compliance.
The easiest way to ensure your organization is meeting HIPAA standards is to encrypt all email by default. This approach eliminates any possibility of human error for healthcare staff and allows patients to continue using their normal email account—without portals, logins, or apps—for secure communications with you.
Today, there are email providers that offer specifically designed solutions for HIPAA-compliant email. This type of service allows therapists to focus on maximizing their patient relationships, free from the burden of worrying about rules and technology, and can even save money by improving workflow and removing the potential for costly fines.
Shawn Dickerson is vice president of marketing for Paubox.
The views expressed in Perspectives are solely those of the author and do not necessarily reflect the views of Behavioral Healthcare Executive, the Psychiatry & Behavioral Health Learning Network, or other Network authors. Perspectives entries are not medical advice.
Reference
