6 essential checks to ensure your encrypted email is HIPAA compliant

One of the most important things you can do as a healthcare professional to ensure HIPAA compliance is to sign up for an encrypted email service. However, this is just the first step. The next step is to apply a healthy dose of common sense before you hit send.

The HIPAA Security Rule allows the use of email to transmit protected health information (PHI) as long as the practice follows certain standards to make sure the information is secure.

An email service with encryption, such as Hushmail, goes a long way toward meeting these standards, but it doesn’t do everything. Using common sense and mindfulness is just as important to ensure human error doesn’t undo the security provided by encryption.

By taking note of the following checks, you’ll prevent common mistakes that could sabotage all of your good security efforts.

1. Be wary of addresses you don’t recognize

If you receive an email requesting information that might qualify as PHI, and you aren’t sure where the email is coming from, confirm who the person is and the purpose of the email. Check the actual email address of the sender in addition to the name. This is a simple good communication practice in the healthcare world, but in the middle of multitasking, it can be easy to fall into a pattern of reacting quickly rather than devoting time to a thought out response. Just be aware and consider where your email will go if you respond.

2. Make sure you’re sending to the right recipient

This advice might seem simplistic, but you’d be surprised how many errors are made by not looking closely at the recipient. When your email application automatically fills in a name, it’s easy to mistake a John Smith with a Jon Smith. Or a Heather Bell with a Heather Biel. The solution is to slow down when sending an email and take the time to carefully select the correct address.

3. Don’t put sensitive information in the subject line

Subject lines are the most visible part of an email. They are displayed when listing emails and can be seen in notifications on some devices.  Be sure to place any private or identifying information in the body of the email, not the subject line. Examples of inappropriate subject lines include: “Feedback on your depression screening” or “Welcome back to our ADHD support group.” While seemingly straightforward, these subjects tell too much information about the recipient.

Outside of your practice, you probably try to make your subject a clear, concise description of your email. This isn’t always possible when you’re handling PHI. Instead, you may have to rely on more general phrasing. For example, you might rewrite the subject lines above as “Assessment” or “Welcome back.”

4. Don’t send group emails

As a rule, group emails are a bad idea when it comes to protecting PHI. If the email implies information about the recipients, such as an email welcoming new members to a support group, then it’s considered PHI and under the protection of HIPAA. If you must send group emails, make sure they contain only very general information.

5. Make sure you encrypt

All encrypted email services are different and have unique encryption mechanisms. It’s important that you understand what they are, when they’re automatic, and when they require action. Hushmail’s service includes automatic encryption between Hushmail users, but if you’re communicating with someone who doesn’t have a Hushmail account, it requires you to check an Encrypted box in webmail. Take the time to make sure the encrypted email you think you’re sending is, indeed, encrypted.

6. Always take a step back and pause before sending

We’re all busy. It’s easy to get caught up in what we’re doing and forget some of these simple checks. That’s why one check should never be ignored - pause before you send.

Don’t have a Hushmail account?

Sign up for Hushmail for Healthcare today.