Email is a great way of communication between doctors and patients. It also makes medical data exchange with healthcare professionals more convenient. However, it is important to follow certain guidelines to ensure that emails remain HIPAA compliant, as fines for breaking HIPAA rules may be huge. The biggest is $16,000,000 paid by Anthem Inc. in 2018. In this article, we'll explain how to properly send medical emails and not violate HIPAA rules.
Table of Contents
- Why Use Email in Healthcare Communication
- What Is HIPAA?
- What Is PHI?
- How to Make Email HIPAA Compliant
Why Use Email in Healthcare Communication
Healthcare providers can greatly improve their services if start using email:
- Convenience. Email provides a quick, convenient method of communication, allowing doctors and patients to communicate quickly and asynchronously.
- Cost-effective. Email communication reduces the time and costs associated with face-to-face consultations, saving patients and doctors a lot of time and money.
- Flexibility. Email communication offers great flexibility in terms of scheduling appointments, rescheduling, and following up on appointments.
- Improved access. Patients who may be unable to come in for an appointment physically can have easier access to consultations and medical advice with email communication. Email also allows patients to access their medical records and personal health information securely and anytime they need it.
Looks nice, but there are several downsides as well. Email can't convey nonverbal clues, such as tone and facial expressions, therefore it may be challenging to fully understand a medical situation through text. Therefore, a medical examination is impossible. Doctors and healthcare providers are not obligated to respond immediately to emails, and thus email communication might delay a patient's diagnosis and treatment. Emails may be sent to the spam or overlooked in crowded inboxes, hence patients’ questions may go unanswered. And of course, your email provider must comply with HIPAA rules.
What Is HIPAA?
Health Insurance Portability and Accountability Act (HIPAA) was implemented in 1996 in the United States. Its purpose is to establish national standards for healthcare organizations to protect the privacy and security of patient's health information. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses, as well as any businesses that provide services to them and have access to patient's protected health information (PHI).
Can you use Gmail to send medical emails? We explained this in the article Should You Trust That Gmail Is Secure Enough For Your Business?
What Is PHI?
Protected Health Information (PHI) is any individually identifiable health information transmitted by or maintained in any form or medium, that relates to an individual's physical or mental health, the provision of healthcare to that individual, or the payment for the provision of healthcare for an individual, and is protected under the Health Insurance Portability and Accountability Act (HIPAA).
PHI includes a wide range of health information, such as medical records, medical claims, test results, or personal information like names, addresses, Social Security numbers, and other demographics which can be used to identify a patient individually.
The HIPAA Journal gives an example of protected health information.
- “A broken leg” is health information.
- “Mr. Jones has a broken leg” is individually identifiable health information.
- If a HIPAA covered entity records “Mr. Jones has a broken leg” the health information is protected.
HIPAA provides patients with certain rights related to PHI including the right to access their PHI data, know who has accessed their information, and request the correction of any errors in their PHI. HIPAA’s privacy rule requires covered entities and business associates to take appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of PHI.
PHI is incredibly sensitive and private, therefore, healthcare providers and businesses must take comprehensive measures to ensure that they follow HIPAA rules and protect patient privacy. Failure to do so can have serious consequences, including stiff fines, legal implications, and loss of reputation.
How to Make Email HIPAA Compliant
It is important to ensure that emails are HIPAA compliant in order to protect patient privacy. Here are some not to violate HIPAA:
- Use a HIPAA-compliant email service provider that encrypts all emails and attachments. That must be end-to-end encryption.
- The email vendor has a so-called “persistent access” to PHI and therefore must assure you that your patients“ PHI is fully protected, providing you with an executed HIPAA Business Associate (BA) Agreement.
- Always verify the recipient of emails containing PHI prior to sending. Even the most attentive person can make a typo.
- Regularly train staff on HIPAA regulations. Every employee should be aware of the HIPAA rules, the consequences of HIPAA violations, and the intricacies of working with email services.
- Include a confidentiality statement in emails containing PHI. At least the short one, such as: «This message is confidential. If you believe you received this message in error, please inform the sender and delete this message and all attachments».
- Organize email retention. Emails should be stored for the period of six years.
- Avoid free, web-based email accounts like Gmail and Yahoo or other email accounts that are not compliant with HIPAA even when end-to-end encryption is available.
- Document all email communications regarding patients' health information in their medical records.
Don't be shy to contact a healthcare attorney if you want to know more about how not to break HIPAA rules.
Now that you know, email communication in healthcare must be HIPAA compliant. Just need to follow several rules. Use a HIPAA-compliant email service provider that encrypts emails and attachments, regularly train employees on HIPAA regulations, verify the recipient of emails containing PHI prior to sending, and include a confidentiality statement in emails containing PHI.
Always enter into a Business Associate Agreement (BAA) with email service providers, keep emails for six years, and don't use free web-based email services.
We at TruVISIBILITY are offering you a Secure Email service that is designed specifically to secure private information. It supports compliance regulations in multiple industries and guidelines, such as HIPAA, CFPB, FINRA, and E-SIGN.
TruVISIBILITY's Secure Email allows you to send encrypted HIPAA-compliant emails and email attachments, send secure forms, and sign them without delay or slow downloading.
Health information of patients, private business and financial documents, attorney-client communications — everything is protected with TruVISIBILITY's Secure Email service.
Get a TruVISIBILITY freemium account now and never worry about email security again!
Want to receive more articles?
Sign-up for our weekly newsletter to receive info that will help your business grow