Table of Contents
If you’ve made it to this blog, chances are you’re either HIPAA compliant already or looking to become compliant. If you aren’t familiar with HIPAA, have just learned recently you need to adapt your business to compliance, or need a quick refresher on what HIPAA entails from a tech perspective, we have a fantastic webinar series on HIPAA, which you can find right here.
Do I need HIPAA Compliant email services?
Email is one of, if not the very most, prevalent methods of communication in the modern world. Every day professionals around the world use email to find new business, collaborate on projects with their peers, and communicate with clients over the internet. HIPAA has been a big name for several years for those of us handling medical records and other sensitive client information. The stringent requirements and hefty fines have weighed on our minds, especially as we had to adapt our businesses to function during a global pandemic.
As businesses adapted to staff working remotely, communicating with patients primarily over the internet, and other social distancing requirements, email grew even more significant in its importance in our lives. For those of us trying to send electronically protected health information (ePHI), however, the concerns over meeting HIPAA requirements skyrocketed. The key question became: “Can I use my email to send sensitive ePHI documents?”
The good news is: Yes, you can*! (*with a little adaptation and configuration). Unfortunately, almost all general email setups are not going to be compliant with HIPAA’s requirements. You can use several methods to shore up your email security and become comfortable sending ePHI to your clients over email. Here are five great steps to get you started toward email HIPAA compliance:
5 Key Steps for HIPAA Compliant Email
1. Encryption from Start to Finish
Most everyone is likely familiar with the Hollywood version of “Encryption.” This mythical technology concept often involves conspiracies, secret agents, and fiercely defended virtual keys. The fundamental concept of encryption is simply using a mathematical code to change how a computer reads data.
To offer a brief example, let’s say your computer can read a script of 1s and 0s with no trouble. We use a simple encryption key on your computer which says ‘multiply all values by 2’. Now all your computer’s data is in 2s and 0s. If we download a document from your computer and upload it to a standard 1s and 0s computer, it will have no idea what to do with the 2s! This is the essential way Encryption works; a computer must know what the mathematical key is in order to interpret the foreign data.
How does this apply to your email? Encryption, as described above, can be used to transmitted data as well! One of the best ways to move your email environment towards HIPAA compliance is to encrypt your emails. If you have a dedicated IT team, they’ll be able to work with you to get this setup. If not, many email vendors will be more than happy to give you encryption options.
There are, however, a few essential facets of HIPAA compliant encryption:
- Emails must be encrypted “End-to-End.” This means messages must be encrypted both in transit and in storage. At no point should your email transmission be the point of failure in a data leak.
- Some encryption methods are not secure. You should consult NIST before selecting an encryption method. At the time of writing, AES 128, 192, and 256-bit encryption methods are considered compliant.
- Finally, you’ll want to make sure your email vendor enables you to encrypt all emails instead of providing a user-facing option to encrypt emails individually. This minimizes the risk of you or your staff forgetting to encrypt ePHI.
2. Compliancy From Your Email Vendor
Our second tip is to obtain a compliance agreement from your email vendor directly. Many third-party vendors (Microsoft, Google, etc.) have business agreements that are designed to protect your client’s ePHI data. These agreements specify the various requirements and responsibilities of the vendor and provide an additional layer of security on your systems.
If a vendor is unable or unwilling to join you in a HIPAA compliant agreement, it would be safest to move your email services elsewhere. Again, ensuring your email vendor is in a compliance agreement will minimize your risk and show both clients and compliance officials you’ve done proper due diligence to protect sensitive ePHI.
3. Verify Your Email Configuration
While having a HIPAA agreement from your email vendor is a great step, it doesn’t guarantee HIPAA compliance. You might have features on your account which either aren’t set up correctly or set up at all. You might have security settings in place which aren’t strict enough. You might have workflows, email forwards, or distribution groups set up, which violates compliance regulations.
In any of the above scenarios, you need to take a hard look at your email configuration. Double and triple-checking your setup, even if it takes a significant time investment, can protect your client’s data and save your business from harsh fines later on.
4. Retain ALL Emails
While HIPAA’s direct rules for email retention are less than clear, it is entirely within the bounds of the regulation for your business to be audited by both clients and compliance officials. In a legal situation, your business might be called upon to produce all communications between your staff and a client. Some states have direct time mandates for record-keeping by healthcare organizations. If you can’t meet these requirements, it can have severe consequences for your business.
The best way to ensure your email is securely retained is to partner with a trusted, third-party backup solution provider. We use Dropsuite to backup all Office Suite-related data, but there are plenty of reputable backup vendors for email services. If using a cloud solution isn’t an option for your business, consult with your IT team on how you can adapt to HIPAA’s document retention policies.
For email retention, there are a few things to consider:
- The standard and industry-recommended retention period for emails pertaining to security and changes in the privacy policy is around six years.
- HIPAA compliance dictates that any documentation related to a business’s compliance efforts should also be retained for six years.
- Even for a small business, six years of communications can eat up a considerable volume of storage space. Be sure your backup solution understands the space you’ll need and can offer it at an affordable price.
5. Strengthen Your Weakest Security Element
As with almost every single element of IT security, the weakest aspect of your system isn’t electronic at all. Your email infrastructure, your business process & policies, and even the computers your staff use have greater protection than the weakest link in your security chain: the humans in your office.
In all things technology, the people using the technology represent the biggest security vulnerability. People, not machines, are most vulnerable to phishing, social engineering attacks, disregarding policies & guidelines, and the aptly named ‘human error’ element. It should be your number one priority to train, educate, and test your staff to ensure they are safeguarding both your business and your client’s information.
Do you need a HIPAA partner?
Hopefully, you’ve found some great takeaways from this blog and have a solid action plan for getting your business’ emails up to compliance. If you have questions or need a HIPAA partner for all things tech, we’d love to help!
We can’t wait to turn your technology nightmares into sweet dreams! We’re always ready to meet your HIPAA and technology needs. You can send us a message here or give us a call at 913.353.6902.
