Last week we discussed why no professional organization should use a free common email address, such as Yahoo, Hotmail, AOL, or yes, even Gmail. Not only does an email address ending with any of these common domains instantly reduce your professional appearance, but let’s add the fact that none of these free email addresses are HIPAA compliant either.
Now to be clear, neither are any professional email addresses such as those associated with your practice domain, even if your practice website has an SSL or Secure Socket Layer encryption. As a reminder, every website today should have an SSL certificate. Google demotes the ranking of any website without one. Not only that, the Chrome browser, the number one most used browser in the world (owned by Google) marks websites without an SSL as NOT SECURE. We have covered SSL certificates before here.
Before you say, ya, that may be the law, but no one is ever prosecuted. Explain that to a Phoenix cardiac surgery center who paid a $100,000 penalty for not taking steps to protect data and use internet-based email and calendar service for practice administration.
Let’s start with the fact that HIPAA only requires your email to be secure IF you send PHI or Personal Health Information over email. You can pretty much send an email blast to your patients and customers about a Trunk Show or Sale with no worries so long as you are not sending any Personal Health Information. HIPAA kicks in when you are corresponding with a patient or customer about his or her exam or their Rx. HIPAA would also be applicable when you are sending a job to a lab, if the job contains the name or any other personal information about the customer or patient. If you send jobs only referring to patient 123 (unless for some reason they’ve chosen that to be their lawful name) you are ok.
Let’s explore how email actually works. Unlike how it appears, email is not sent from your computer to another. Think about it. How many of you receive the same email on your desktop computer, your laptop, your tablet, and your mobile phone? OK…for most of you, I suspect at least two of the four.
When you send email, it goes from your computer (or phone) to your email server, whether that is your domain or one of the common email carriers. That email is then forwarded to the recipient’s email server, whether that be their business domain or a common email carrier. In both cases, the email is stored on both servers for a predetermined period of time. Neither server by default is encrypted, so your email sits with millions more from all around the world. That server, being unprotected, is a technical violation of HIPAA. Since at least two servers are involved in that email correspondence, we’ve now doubled our risk and potential violation.
HIPAA email rules require messages to be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall. Not only that, but covered entities are required to retain past communication containing PHI for six years.
The easiest way to make sure your email is HIPAA compliant is to sign up with an email service that will encrypt your email properly. You can still keep your domain email address, the email is routed through secure servers and use strong encryption en route, so you and your patients are covered. You sign a BAA or Business Associate Agreement. There are a number of companies who offer a BAA service. Hushmail, NeoCertified, and Aspida, are all highly rated.
However, most ECPs go with either Google or Microsoft. Google is, of course, a very popular email platform. Even though we rail against using a Gmail address as your professional email address, Google is easy to use, and a wonderful service. Gmail by default is not HIPAA compliant, but for as little as $5 a month per email address, you can have your emails routed through their HIPAA compliant servers, regardless of the domain extension. That means, [email protected] can go through Gmail encrypted and compliant, without anyone but you and Google knowing that.
For those who use Microsoft’s Office suite, you can sign a BAA on Office 365 and get a fully HIPAA compliant email solution and the entire Office Suite of products for as little as $6 a month. Again, you needn’t give up your domain name or hosting.HIPAA, email, encryption, Office 365, Microsoft, Google, Gmail,
For those who are a little gun shy to do the required email routing through you hosting provider, have your IT person do it. If you do not have an IT person, I have found every web host more than willing to help you make the changes you need to route your email through either Google or Microsoft.
Yes, free email is great. It’s free. It’s not, however, HIPAA compliant. The few dollars you spend today can not only give you peace of mind but save you a lot more money later. In this lawsuit-happy world of ours, an ounce of prevention is worth a pound of cure.