The HIPAA privacy rule regarding emails is getting more and more strict. Most of the time, emails to patients from physical therapy clinics are NOT secure or HIPAA compliant. Unless you have gone through the checklist to be secure with your specific email provider, patient, and staff, you are most likely breaking a HIPAA privacy rule. So, be careful what you send. Don’t include sensitive information (or it could get you in trouble) unless you know for sure.
Is email from Gmail, Outlook 360, Godaddy, or other web-host secure ?
There are some services out there that offer enhanced security and protected emailing but there is a lengthy process to setting it up correctly to comply with HIPAA privacy rule.
Gmail, the paid version, can be setup to comply with HIPAA privacy rule as long as several safeguards are taken. Such as getting patient’s consent, correct smtp settings used with mail clients, proper options adjusted, etc. The free version can have many vulnerabilities since Google has multiple core services (hangouts, contacts, calendar, drive, etc) and other third party app connections. And the free Gmail makes it conveniently function on phones and other mobile devices which could also cause vulnerabilities as well. Sometimes the email systems with fewer bells-n-whistles are easier to make HIPAA compliant.
Most email systems can be setup to be secure but if you don’t do your part to ensure strong protection, you could be vulnerable. It’s important to remember, the essence is to keep the protected health information private–away from as many outside eyes as possible. No matter which email service you use, it’s important to properly setup the system and follow the safeguards listed below.
What are the SafeGuards to Comply with HIPAA Privacy Rule?
With just about any email system you choose, the steps to making it secure largely depends on you. Here are the steps:
- Patient’s consent obtained to send protected health information (PHI) via email.
- Email boxes are using strong passwords.
- If using a mail client, make sure to use the highest level of security in the settings.
- Measures taken to strengthen email from potential hackers.
- Business Associates Agreement obtained from companies who might have access to your emails.
- If using password managers from your browser or third party app, is your computer properly secured with a strong password? How long before your computer locks?
- If using a mail client (outlook, iphone, etc.), are the secure settings being used and not the basic POP settings.
What are alternatives to using email?
There are several other options to sharing PHI but some are highly complex and costly. I will mention the more affordable and simpler options here but will not go too deeply into each one. Follow the links to learn more.
- Dropbox – This is an option but not a great option since there are many settings and options that can leave you vulnerable if you don’t choose the correct settings. It’s a bit convoluted. Learn more
- Amazon S3 – You can use this to share PHI but it can be a bit technical especially for the average consumer. Learn more.
- Google Drive – Once again, many settings and connections with other services and apps. If not setup correctly, could lead to vulnerabilities. Learn more
What is the BEST solution?
A private ecosystem such as IndeHUB or something similar.
Creating a secure environment with fewer doors of access to third party apps and integrations work best. A private environment that is simple, secure, with fewer connections to third party apps, or the outside world. It allows convenient sharing of protected information in a safe, secure and encrypted environment. Other features include:
- There’s no sending or receiving of information.
- https:// protocol
- High level encryption
- Fewer options to share or link data to outsiders, and less access doors to the outside world.
- User’s access can be controlled and turned off anytime by IndeHUB administrator.
- No potential loss of data.
- And more.
Remember, it’s all about keeping sensitive health information safe and secure and away from the public. Be safe!
Learn more about the HIPAA Privacy Rule: http://www.hhs.gov/hipaa/for-professionals/privacy/