Email Security Requirements for Healthcare Providers
HIPAA requires covered entities to apply reasonable safeguards when emailing protected healthcare information
Service providers, Business Associate Agreements, Encryption, Policies and Procedures, Training, Archiving Retention, Consents
Use a service provider that meets HIPAA security requirements, Yahoo, Gmail, Hotmail and other free emails services are not HIPAA compliant and should be avoided.
The business associate agreement outlines the responsibilities of the service provider and establishes that administrative, physical and technical safeguards will be used to ensure the confidentiality, integrity and availability of ePHI.
Emails containing ePHI sent outside your organization must be encrypted in transit and at rest to ensure privacy and security.
Policies related to PHI access, storage, and disclosure should be in place to limit access to authorized individuals only, this includes specific guidelines for the use of email to transmit PHI, including requirements around encryption, access controls, and secure transmission.
It is vital to train your staff annually on their responsibilities related to compliance laws, how to send a secure message, and what constitutes a HIPPA violation.
Covered entities should implement policies and procedures for creating, changing, and safeguarding passwords.
Implement a secure email retention system to ensure the availability of ePHI and compliance documentation, make sure that your practice is able to respond to accounting of disclosure requests within the timeframe stipulated by the Privacy Rule.
Patients must be advised that there are risks to the confidentiality of information sent via email, if they are prepared to accept the risks, emails containing ePHI can be sent without violating HIPAA Rules.
If you need help with email security or information technology consulting please use the following form to contact us