Do you need HIPAA-compliant email? A helpful Q&A.

Published on July 4, 2019

HIPAA requirementsIf you work in a healthcare field, there’s a good chance that you should be using HIPAA-compliant email to communicate with your clients or patients, especially if you send and receive protected health information (PHI). And if you’re using using online forms to collect information from your clients, those forms need to be HIPAA compliant as well.

But how do you know for sure if you need HIPAA-compliant email and web forms? And what exactly is considered HIPAA compliant?

The following Q&A will help shed some light on these questions and help you make the decision to use regular or HIPAA-compliant email.  

Who needs HIPAA-compliant email and web forms?

Any HIPAA-covered entity as defined in the chart below and any healthcare practitioner who wants to protect their clients’ privacy.

A health care provider

This includes providers such as:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

A health plan

This includes:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs

A health care clearinghouse

This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

 https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html

I don't take insurance. Do I still need encrypted email?

For HIPAA purposes, technically, no. (See the above covered entity chart.)

However, securing your online communications with your clients when it contains information of a sensitive and personal nature is important from a professional ethical standpoint. Additionally, state laws may differ from HIPAA and may impose additional or different security and privacy obligations.

What kind of information should be secure and encrypted?

Any email or web form containing sensitive information that could be considered PHI. Under the HIPAA Privacy Rule, PHI refers to individually identifiable health information. A newsletter you send to clients who participate in an adult ADHD support group would be considered PHI and so would the results of a depression screening if your client’s identity is connected with the information.

How is HIPAA-compliant email different from regular email?

HIPAA-compliant email is dependent on good email habits such as verifying email addresses and not including sensitive information in subject lines.

HIPAA-compliant email is also encrypted with OpenPGP encryption that encrypts data during transit and in storage. This provides an extra layer of security on top of the TLS encryption that most email servers support.

A HIPAA-compliant email service will provide you with a signed Business Associate Agreement (BAA) that places the responsibility for securing the PHI you send with the email provider.

A HIPAA-compliant email service might also provide email archiving that serves as added backup in case of an audit or a question.

What is encryption?

Encryption is essentially scrambling a message so that it is unreadable to anyone who cannot access the key needed to unscramble it. Please take a look at Encryption is a lot like a cryptogram, only better for a more detailed explanation of encryption.

Can a HIPAA-compliant email be sent using Google or Yahoo?

It's about how comfortable you are with the level of security. HIPAA stipulates that covered entities are required to implement technical safeguards of the "electronic protected health information" of their clients and patients, but it doesn’t specify the use of X or Y type of encryption, and there is no list of what technical safeguards you should use.

Should a breach happen, you need to convince HIPAA officials, and maybe even a judge, that you did everything you could to safeguard the information. However, keep in mind that TLS only secures your email if it’s supported by the recipient’s email servers as well. Although most servers do support TLS, this isn’t guaranteed. If you are comfortable saying that you sent the information protected in transit only, reliant upon the recipient supporting encryption, then TLS  may be all you need, and Google or Yahoo might be fine.

The extra layer of security with OpenPGP encryption provides evidence of due diligence in case of an audit or a breach.

Can my HIPAA-compliant email work with Outlook or Mac Mail?

Yes. Most encrypted email services can be set up to work with a third-party email app. However, using the encrypted service’s webmail or smartphone app is usually a good idea for ease of use and security reasons, depending on the service you use.

Hushmail for Healthcare is the answer to your HIPAA-compliant communication needs

Hushmail for Healthcare is a HIPAA-compliant, secure email and web form service that gives you everything you need to communicate safely with your clients or patients.

Try Hushmail for Healthcare risk-free for 60 days

Do you have questions about whether or not you need to be concerned with HIPAA compliance when you communicate with your clients or patients? Here's a helpful Q&A about who needs to use HIPAA-compliant communication tools and why, along with tips on how to use encryption to protect confidential messages to clients and patients.

Related posts: