Many healthcare providers use email to communicate with their patients, but there are certain things that must be considered before doing so. As a healthcare provider, you are obligated to ensure the confidentiality, integrity, and availability of protected health information. As such, you must ensure that the email service provider that you are using is HIPAA compliant. So how do you make your email HIPAA compliant? Find out more below.
HIPAA allows providers to communicate with patients through email, however, it also imposes restrictions on when email can and cannot be used to communicate with the patient. Before providers may use email to send protected health information (PHI) to patients they must first receive patient authorization, have a signed business associate agreement with their email service provider, and configure email security settings.
When healthcare providers wish to communicate with patients via email, they must first receive explicit written consent from the patient to communicate with them in this manner. It is also the responsibility of the provider to convey the risks of email communication with the patient prior to sending electronic protected health information (ePHI) through email.
Under HIPAA, email service providers are considered business associates when ePHI is transmitted through their platform. As a business associate, healthcare providers are required to have signed a signed business associate agreement (BAA) with their email service provider prior to sending or receiving any ePHI through email. Some email providers are unwilling or unable to sign a business associate agreement, these providers are not HIPAA compliant and therefore cannot be used to send or receive ePHI.
Why is a business associate agreement so important? Well, BAAs are legal documents that require business associates to agree to be HIPAA compliant, and be responsible for maintaining their compliance. In essence, BAAs ensure that the email service provider will safeguard the ePHI transmitted through their service.
For HIPAA compliant email communications, any email being sent to a patient must be encrypted. This is because no matter the content of the email, the fact that a provider is emailing a patient automatically classifies things such as the recipient’s name and email address as PHI. Some email providers offer encryption as part of their paid service for users, while other email providers don’t. Providers that don’t include encryption as part of their service can still be used for HIPAA compliant email communications as long as healthcare providers purchase an email encryption service that integrates with their email platform.
When sharing email attachments containing ePHI, it is important to ensure that only authorized individuals have access to the file. For instance, when sharing a document through cloud storage services such as Google Drive, the sharing setting must be set to "share only with intended recipients."
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
If you are a MyWellbeing member, visit our benefits and discounts page for a special offer from Compliancy Group.