HIPAA Email Compliance

According to the U.S. Department of Health and Human Services, HIPAA “protects all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.”

HIPAA protects all individually identified health information (e.g., it has associated information such as a name or address that might allow someone to identify the individual whose health information is being discussed), in any media (paper, electronic, oral). This information is referred to as “personal health information”, or PHI.

According to the U.S. Department of Health and Human Resources, HIPAA allows healthcare providers to communicate via email with patients, and send PHI via email, as long as reasonable safeguards of privacy are applied. These safeguards include precautions such as checking the recipient’s email address for accuracy before hitting send.

HIPAA does not require that emails containing PHI be encrypted, but does require limiting the amount or type of information sent via unencrypted email. It also requires that precautions be taken to restrict access to, protect the integrity of, and guard against the unauthorized access to PHI sent via email. However, there are many potential pitfalls healthcare organizations face in terms of its email communication and HIPAA laws.

For example, a busy physician’s practice with automatic email archiving may archive some emails containing PHI along with a vast number of routine business emails that do not contain PHI. If the pooled archived material is stored in an unsecure manner, PHI may be readily available to anyone, which is a clear violation of HIPAA. If the older pooled archived data is eventually discarded, PHI may be accidentally discarded in a way that also violates HIPAA regulations.

Are You in Line With HIPAA Regulations?

Use our six-part self-evaluation to help your organization stay compliant with the Health Information Portability and Accountability Act.

Download the Checklist

Privacy protection for patients applies to email correspondence between a patient and doctor, the doctor’s office and the pharmacy, the pharmacy and the insurance company and a variety of other resources.

In addition to privacy protection, HIPAA also features strict guidelines on how to dispose of PHI. PHI cannot be disposed of unless the individual identifying information is removed or destroyed. This is simple for paper records containing PHI, as these document can be shredded or incinerated before disposal.

This effort to protect patient privacy has however become more problematic as technology has changed, especially in light of the HITECH government mandate for all medical practices to demonstrate an effective use of computerized medical records by March 2015.

So, with the proliferation of computerized medical records, how does your organization properly dispose of this electronic material?

Electronic records containing PHI can be disposed of in the following manner:

• Disintegrated
• Degaussed
• Overwritten
• Pulverized
• Melted
• Incinerated
• Shredded

So how can we be sure that information transmitted via email remains confidential? This is where things can get a bit complicated, as the practice of routinely archiving and preserving all types of email used by a healthcare entity can accidentally violate HIPAA email compliance laws. After all, someone could be privy to protected information through the simple act of catching sight of a computer screen.

But, what happens if you do end up inadvertently violating HIPAA email compliance laws?

Government agencies can audit healthcare practices at any time to ensure HIPAA compliance, and therefore email practices intended to achieve compliance with HIPAA must be documented and recorded.

Non-compliance was originally penalized with a fine of up to $250,000. With the implementation of the HITECH Act standards and incentives in 2010, that amount has been upgraded. The current maximum penalty for violation of HIPAA is a $1.5 million fine; violators may also be subject to criminal penalties.

Implementing the following processes can help ensure your organization is doing all it can to prevent any violations of HIPAA email compliance laws:

• Restrict access to patient information through the use of specific password types or electronic identification of terminals within the medical department (essentially an electronic security clearance). Higher-level access is provided to the group who will be sending and receiving medical-related emails.
• Restrict the type of access inter-departmentally. For example, someone in the administrative office may need identifiers such as name and address in order to perform telephone or emailed satisfaction surveys. They may not need medical information to do so.
• Establish employee access limits and have clearly defined guidelines. For example, a local celebrity who is seen in the clinic may stimulate a lively conversation about why he is there. However, accessing his protected information to satisfy curiosity is illegal, as is sending emails about his condition.
• Instruct employees to always lock their computer screen whenever they will be away from their posts, even for a few moments. A gray screen is a great deterrent to “just sneak a peek” at an email that has been left open. Even an accidental viewing tends to stick in the mind. Instruct employees who share computers to sign off completely before allowing a coworker to use the terminal.

Companies affected by regulations can implement HIPAA-compliant email monitoring using virtual email archiving appliances that archive all necessary files without compromising the integrity, access or transmission of the information.

While some email archiving solutions may be difficult to implement and use in a company with multiple locations, organizations striving to remain HIPAA compliant with email correspondence can use top tier email archiving solutions to monitor and enforce email content through the web browser interface. Email information can be stored indefinitely or purged as needed using unique search and retrieval functions.

When companies are trying to adjust their protocols for HIPAA-compliant email strategies, the use of a virtual or hardware archiving appliance is a cost-efficient method that is easy to use in multiple office locations and protects both the company and the patient from concerns over access, integrity and content security issues.

For more information about Intradyn’s singular email archiving solution, please contact us.