One of the most important things you can do as a healthcare professional to ensure HIPAA compliance is to sign up for an encrypted email service. However, this is just the first step. The next step is to apply a healthy dose of common sense before you hit send.
The HIPAA Security Rule allows the use of email to transmit protected health information (PHI) as long as the practice follows certain standards to make sure the information is secure.
An email service with encryption, such as Hushmail, goes a long way toward meeting these standards, but it doesn’t do everything. Using common sense and mindfulness is just as important to ensure human error doesn’t undo the security provided by encryption.
By taking note of the following checks, you’ll prevent common mistakes that could sabotage all of your good security efforts.
1. Be wary of addresses you don’t recognize
If you receive an email requesting information that might qualify as PHI, and you aren’t sure where the email is coming from, confirm who the person is and the purpose of the email. Check the actual email address of the sender in addition to the name. This is a simple good communication practice in the healthcare world, but in the middle of multitasking, it can be easy to fall into a pattern of reacting quickly rather than devoting time to a thought out response. Just be aware and consider where your email will go if you respond.
2. Make sure you’re sending to the right recipient
This advice might seem simplistic, but you’d be surprised how many errors are made by not looking closely at the recipient. When your email application automatically fills in a name, it’s easy to mistake a John Smith with a Jon Smith. Or a Heather Bell with a Heather Biel. The solution is to slow down when sending an email and take the time to carefully select the correct address.
3. Don’t put sensitive information in the subject line
When sending an encrypted email, understand that many services, including Hushmail, don’t encrypt subject lines. Check with your service, and if this is the case, be sure to place any private or identifying information in the body of the email. Examples of inappropriate subject lines include: “Feedback on your depression screening” or “Welcome back to our ADHD support group.” While seemingly straightforward, these subjects tell too much information about the recipient.
Outside of your practice, you probably try to make your subject a clear, concise description of your email. This isn’t always possible when you’re handling PHI. Instead, you may have to rely on more general phrasing. For example, you might rewrite the subject lines above as “Assessment” or “Welcome back.”
4. Don’t send group emails
Keep in mind that email recipient addresses aren’t encrypted. As a rule, group emails are a bad idea when it comes to protecting PHI. Even if you BCC recipients, someone eavesdropping could uncover the addresses. If the email implies information about the recipients, such as a newsletter sent by a specialist to current patients, then it’s considered PHI and under the protection of HIPAA. Try not to send group emails. If you must, make sure they contain only very general information.
5. Make sure you encrypt
All encrypted email services are different and have unique encryption mechanisms. It’s important that you understand what they are, when they’re automatic, and when they require action. Hushmail’s service includes automatic encryption between Hushmail users, but if you’re communicating with someone who doesn’t have a Hushmail account, it requires you to check an Encrypted box in webmail. Take the time to make sure the encrypted email you think you’re sending is, indeed, encrypted.
6. Always take a step back and pause before sending
We’re all busy. It’s easy to get caught up in what we’re doing and forget some of these simple checks. That’s why one check should never be ignored - pause before you send.
Just five seconds can be enough to remind yourself that you’re sending PHI and it must be handled carefully. Go point by point down the list. Is the main recipient correct? Are all recipients appropriate? Does the subject line reveal anything personal? Is the email encrypted? Five seconds is all it takes, and then you can confidently hit send.
Don’t have a Hushmail account?
Sign up for Hushmail for Healthcare today.