Guest post by Erik Kangas, CEO, LuxSci.
Electronic protected health information (ePHI) is patient information that is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance is a complex and confusing topic, and it only gets more daunting when it comes to communication between providers and patients. If you are sending protected health information over email as a healthcare organization or a healthcare organization’s business associate, HIPAA compliance applies to you. With fines for breaches that can land upwards of a million dollars, it’s a subject that is not to be taken lightly by any organization. Let’s take a moment to settle the score on the myths and facts revolving around ePHI and HIPAA-compliant emails.
Myth: All email is HIPAA-compliant
This is a dangerously false assumption. It may come as a surprise that most free email services are not HIPAA-compliant. This includes big players such as Yahoo!, Gmail, and Hotmail. No, ePHI should never be sent through these systems. If you must send ePHI to run your business, seek out an email provider that specializes in HIPAA compliance and is specifically geared towards protecting you and the patient data that flows through your organization.
Myth: My business is too small to worry about HIPAA
Practices and organizations of all sizes get hit with HIPAA violation fines – no one is exempt. HIPAA regulations apply across the board, regardless of the size of your business. Penalties for not being compliant can range from a simple slap on the wrist to a fine of $100 per email that contains ePHI sent through an unencrypted avenue. HIPAA compliance is everyone’s responsibility, and no business is too small to suffer a surprise audit that results in business-crushing fines. Protect yourself up-front by adhering to HIPAA guidelines, and you won’t find your business under the gun for non-compliance.
Myth: Any email with PHI must have encryption
If emails are sent in-office over a secure network, encryption over e-mail is not necessary. But once that email is sent out of the office over a wide area network, or through the internet, encryption is a must.
Myth: The recipient must have encrypted email
The majority of patients use a free, non-encrypted email host. According to the HIPAA Omnibus Rule, patients have the right to request that their ePHI be sent to them via an unsecured email system. Many secure email systems can send secure messages to people without secure email – and that can be okay. But it’s important to document that request from the patient and also to inform them that when using unsecured email and waiving their right to receive their ePHI privately, they inherit the risk of a potential security breach. Documentation protects you from future accusations of negligence.
Myth: Other forms of communication do not fall under HIPAA-compliance regulations
In truth, any PHI stored or transmitted electronically should be encrypted, not just emails. This means that faxes sent to email addresses, Skype-like communications (which are impossible to make HIPAA-compliant), text messages, dictations, voice messages, and any other method of communication in which PHI is being transferred between individuals falls under the HIPAA Omnibus Rule and should be encrypted before it is sent outside of your secured local network.
Myth: Stored emails (data at rest) must be encrypted
This is indeed a myth, but it comes with an important caveat. Stored ePHI on any device does not necessarily require encryption under HIPAA regulations, but that does not mean that there are no penalties if those devices are stolen. Computers, laptops, and portable devices are all at risk of theft, and fines for loss of that data are substantial. Not only can those fines be pricey, but the lack of confidence in your organization’s ability to keep protected health information private can be costly to your business’s reputation.
Myth: If your ePHI is encrypted, then you are HIPAA compliant
This is not necessarily true. If your ePHI is stored at, or passes through, any vendor (encrypted or not), you must have a HIPAA Business Associate Agreement with that vendor to ensure that your data is properly treated in order for you to be considered compliant. Just because encryption is involved does not mean that you have compliance. Skype and Apple iMessage are good examples – these are both encrypted but not HIPAA compliant.
For a more in-depth look at what your business needs to follow the rules of HIPAA, take a look at this HIPAA Compliance Checklist.