By Mike Semel
Understand What Constitutes HIPAA Compliant E-mail
Every day I get questions about HIPAA compliant e-mail, and many days I see or hear something that leads healthcare organizations and their business associates in the wrong direction.
These Myths and Facts can help you make the right e-mail decisions. I have included links to give you more details and so you can see the official information yourself.
MYTH – All e-mail systems are HIPAA compliant.
FACT— FALSE. Free web mail services like Gmail, Yahoo! Mail, Hotmail, and those provided by an Internet Service Provider are not secure and no electronic Protected Health Information (ePHI) should be sent through these systems, either in messages or attachments. In 2012, an Arizona medical practice paid a $ 100,000 penalty for sending mail from an Internet-based e-mail account. They also used a publicly-accessible online calendar for patient scheduling.
There are HIPAA compliant e-mail systems that use secure mail servers, and solutions that allow you to encrypt messages you can send to anyone. Some Cloud-based solutions are secure and the providers will sign Business Associate Agreements which makes your relationship HIPAA compliant.
If your practice is using a web mail service to send patient information, STOP NOW, because every message you send is a data breach. Â To get the right solution talk to a certified IT professional who understands HIPAA. Check out the 4Med Pro Network if you want one that specializes in healthcare.
MYTH— Any e-mail message containing patient data must be encrypted.
FACT – FALSE. E-mail sent desk-to-desk within your organization using a secure server on a secure network does not have to be encrypted. E-mail going to a remote office on your wide area network should be protected by encryption used to set up the secure ‘tunnels’ through the Internet between locations. You can also use dedicated secure circuits that do not go through the Internet. Never send unencrypted e-mail containing patient information to a doctor, any member of your workforce, or a Business Associate at their personal or business address outside of your network.
MYTH— I cannot send a patient their medical information if they use a free web mail service.
FACT – FALSE. You can, based on recent guidance from the US Department of Health & Human Services.  As long as you are using a secure e-mail system on your end, the HIPAA Omnibus Rule released in January says that if a patient asks you to send them information at a Gmail, Yahoo! Mail, Hotmail (or similar) account, you should inform them that their system is not secure and ask if they still want the information sent to them. If they say yes, it is HIPAA compliant to do this. Be sure you document your conversation and their approval.
FROM THE HIPAA OMNIBUS FINAL RULE (page 5634) —  We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.
MYTH— I only have to worry about written e-mails and documents.
FACT. FALSE. In today’s world many types of information link to e-mail systems. You can scan documents and send them from your copier to an e-mail address. Faxes are converted from paper to e-mails. Dictation and telephone voice messages are converted into e-mails. HIPAA protects any electronic file containing ePHI—written, image (like a scanned image, fax, x-ray, or MRI) or voice, and these should be encrypted before sending outside your organization.
MYTH— All e-mail that is at rest (stored on a computer) must be encrypted.
FACT – FALSE. While two HIPAA sections (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii)) say that data must be encrypted, this requirement is Addressable and not required.
Be warned that if you lose a device containing unencrypted ePHI, it is reportable and you can pay a hefty fine, like Massachusetts Eye & Ear Infirmary did in 2012. If a device containing ePHI is encrypted and is lost, you don’t have to report it.
Don’t think that the only computers that are stolen are laptops and portable devices. The HIPAA ‘Wall of Shame’ listing data breaches has a number of servers listed that were stolen from offices. If you really want to protect the data and protect your organization from fines and embarrassment, every device you own that stores patient data should be encrypted, even though it is not required.