Do you know the rules when it comes to emailing PHI?
Email is convenient, especially in a busy healthcare environment. But, keeping email secure is tricky.
Email is one of the topics I’m asked about most frequently. Due to the nature of email and the difficulty with properly securing it, I recommend avoiding it whenever possible. The use of patient portals is preferred for sending information to patients, and secure file transfer options, that incorporate strong encryption, are preferred for covered-entity-to-covered-entity or covered-entity-to-business-associate communications.
For those who can’t find an alternative to email, this post is intended to help you understand what’s required of you when sending electronic protected health information (ePHI).SEE ALSO: HIPAA FAQs
What does HHS say about sending a HIPAA compliant email?
According HHS, “the Security Rule does not expressly prohibit the use of email for sending ePHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to ePHI.”
Basically, you can send ePHI via email, but you have to do it securely, according to HHS.
Understanding the challenge
To understand the reason you should secure email, it helps to review the path of an email’s transmission:
Email is created by sender on their workstation ➔ Email is sent from workstation to sender’s email server ➔ Sender’s email server sends email to recipient’s email server ➔ Recipient’s workstation pulls the message from their server.
There are a lot of links in this chain.
Every time the email is sent from one machine to another, it may traverse the Internet, where it could be susceptible to malicious interference.
Plus, a copy of the email is stored on each machine it traverses. So, there’s a copy on the sender’s workstation, on the sender’s email server, on the recipient’s email server, and on the recipient’s workstation.
No wonder email is a scary and insecure way to send data. Every message may cross the Internet multiple times, plus it’s stored on at least four different machines.
HIPAA requires that PHI remains secure both at rest and in transit. That means PHI must be protected (e.g., by unique user accounts and passwords) while sitting on workstations and servers and encrypted each time the email crosses the Internet or other insecure networks. Transmission security significantly affects which email systems healthcare professionals can use.
There is a clear distinction between an email platform being HIPAA capable and HIPAA compliant. Most are capable, but in and of themselves, not compliant. As you can see by the path an email takes, it is pretty difficult for one product to protect the entire chain.
As a general rule, free and internet-based web mail services (Gmail, Hotmail, AOL) are not secure for the transmission of PHI. In 2012, Phoenix Cardiac Surgery paid a $100,000 penalty for not taking the steps to protect data, and for using an internet-based email and calendar service for practice administration.
If you are determined to use an internet-based email service, ensure they sign a Business Associate Agreement (BAA) with you. Microsoft and Google stated they will sign BAAs. However, a BAA only goes so far and you are still ultimately responsible. Omnibus rules state the covered entity is still responsible for ensuring the business associate does their part. If found in HIPAA violation, both parties are liable for fines. The BAA typically only covers their server; the CE is in charge of protecting the rest of the chain.
Encryption is a way to make data unreadable at rest and during transmission. Emails including PHI shouldn’t be transmitted unless the email is encrypted using a third-party program or encryption with 3DES, AES, or similar algorithms. If the PHI is in the body text, the message must be encrypted. If it’s part of an attachment, the attachment can be encrypted instead.
Unlike email in transit, encrypting email at rest is an addressable requirement, which means if you don’t implement it, you need to have solid documentation explaining why. But, if an unencrypted computer or laptop containing unencrypted ePHI is stolen, you will likely be fined. Some examples from years past include Blue Cross Blue Shield of Tennessee, Massachusetts Eye and Ear, Hospice of North Idaho, and AP Derm.
What about the email recipient’s email client?
The HHS understands you have no control over which email clients your patients use.
“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.” (US Department of Health and Human Services, Omnibus Final Rule, 2013)
Basically, HIPAA rules state patients have the right to receive unencrypted emails, and that as long as you use a secure email service, you aren’t responsible for what happens on their end. Some caveats to remember:
You must have a fully secure, alternative option for the patient to receive the information.
You must inform your patients that their email client may not be secure. If they say they still want the information, it’s then permissible to send it.
For your protection, ensure you document the above conversations.
Securing Different Types of Emails
Emails sent on your own secure server do not have to be encrypted. For example, from nurse to doctor, office manager to nurse, surgeon to lab tech, etc. However, if you use remote access to do so, you must follow typical encryption rules. Options like Outlook Web Access can easily leak PHI, are difficult to properly secure, and should be avoided.
One of the biggest questions I receive about email is, do I have to encrypt an email if it’s going to another doctor? The answer is, unless that doctor is in your office, on your own secure network and email server, the answer is yes.
Doctors sometimes work on cases on home computers and then email PHI to their work email. Unless each of those emails is secured with encryption, that would be considered a HIPAA violation.
Mass emails should be avoided. But, if you do need to send mass messages, use a mail merge program or HIPAA compliant service which creates a separate email for each recipient. The danger of using BCC? Email addresses aren’t usually hidden to hackers.
If someone replies to your email, is that communication secure? Technically, that’s not your responsibility. HIPAA states that the entity/person initiating the transmission is the liable party. So, if the replier is not a covered entity or business associate, it’s impossible for them to violate HIPAA. If the replier is a covered entity or business associate, the protection of the PHI is their responsibility. As soon as you reply back, however, you are again liable for the security of that transmission.
How do you protect messages initiated by patients? According to the HHS, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. Providers should assume the patient is not aware of the possible risks of using unencrypted email. The provider can alert the patient of those risks, and let the patient decide whether to continue email communications. Remember, you must provide alternate secure methods of providing the information to the patient.
How to keep emails secure?
Cloud-based email servers
One route is to use a secure cloud-based email platform that hosts a HIPAA compliant server. It’s important to connect to the server via HTTPS so you have an encrypted connection between you and your email server. Unfortunately, this option does not control the email transmission from the cloud server to the recipient’s server or workstation, so though it seems attractive, I only recommend this option when all senders and all recipients have accounts on the same cloud-based email service.
Encrypted email services
Many email services actually encrypt the message all the way from your workstation to the recipient’s device. If the recipient is not a client of that email service, the system will notify them of the email and the recipient can then connect securely to the email service’s server to retrieve the message.
Secure message portals
If your EMR/EHR system can provide a patient portal, this gives you a secure place to store information. An email is sent to the recipient informing them they have a message on the portal, where they can log in and securely receive the message. If your EMR/EHR does not have this capability, don’t despair! There are services such as eDossea and BrightSquid that can provide this type of portal for you.
Other email considerations
Passwords and 2-factor authentication
Make sure access to your email account is protected by a strong password/passphrase and you opt-in to multi-factor authentication where available.
Email disclaimers and confidentiality notices are not a free pass to send PHI-filled, unencrypted emails. A disclaimer on your emails should merely inform patients and recipients that the information is PHI and should be treated as such. Your legal department can assist with the verbiage. The key to remember is that no disclaimers will alleviate your responsibility to send ePHI in a secure manner.Need help with HIPAA compliance or interested in a HIPAA Audit for your business? Contact us here.