The internet is both a blessing and a curse for a healthcare provider. With its help, patient data can be accessed instantly from anywhere in a matter of seconds. Looking up the newest treatment options is also easy. But, in return, patients expect nothing less than immediate information about their condition. While email is everywhere and seems like a convenient solution for such demand, never forget that: if you want to avoid penalties that can range from $100 to $50,000 per violation, you must understand email HIPAA compliance. In the world of Protected Health Information (PHI), even minor infractions can lead to large-scale lawsuits.
Keep reading for a quick review of the Health Insurance Portability and Accountability Act’s (HIPAA) requirements for electronic communication.
First things first: What is a HIPAA-compliant email?
According to HIPAA, any health-related information – about one’s past, present, or future health status – that can make a person identifiable has to be protected at all times and by all means. This applies to all collected, maintained, or transmitted data that a database contains. Its significance stems from the fact that even the slightest leakage of physical or psychological health data can cause unpredictable harm to a person’s professional and private life.
To practitioners, email might seem like a quick and efficient way to communicate. Securing it is another matter and can only be achieved through proper cyber security technologies (encryption, masking, scrambling) and secure protocols.
Why? Because errors can slip into any busy workday, and when that happens, sending a health-related email with confidential attachments without encryption to the wrong person by mistake can have unpredictable consequences, at least from the point of view of HIPAA compliance.
Before you presume that your company does have the routine to avoid such failures, look at some real-life HIPAA violation examples. Unfortunately, the proverb „the road to hell is paved with good intentions” seems to apply to many.
Real-life HIPAA violation examples from email and social media
- The employee who was way too enthusiastic when answering a complaint on Yelp
Community management is an essential pillar of marketing activities, even in the healthcare industry. As part of that, answering Yelp reviews – one of the biggest crowd-sourced review sites with more than 200 million verified business reviews – can be important for business. But in 2019, Elite Dental Associates of Dallas (Elite) learned how they should have been extra careful how they do it the hard way. Even though they were correcting an unfair review, their employee included the name and PHI data (name, treatment plan’s name) in their response. The violation led to an investigation, and eventually, Elite had to pay $10.000 to settle the complaint.
- A rushed video comment about Covid on social media
In April of 2020, one of the nurses of Lincoln Hospital spoke out about the hardships of the Covid-pandemic on YouTube. Sadly, in her video, she named one of their patients she thought they could have saved if they had the necessary resources. The investigation is still ongoing.
- The lost company device with unencrypted ePHI on it
While the ability to download work-related files seems essential even for healthcare professionals, there are good reasons why you need control over how to do that on any device. For example, the Catholic Health Care Services of the Archdiocese of Philadelphia collected exactly $650.000 worth of reasons back in 2016, following a stolen mobile device, which stored the information of hundreds of nursing home residents in plain text format. In a similar case of a real-life ePHI data breach, Premera Blue Cross, the biggest health plan in Washington, had to pay up to $6,850,000 in a settlement, which makes securing data with end-to-end encrypted data a very cost-effective alternative.
- Ill-considered bulk emails
Bulk emails that are otherwise harmless can also be the source of HIPAA violations. In an often-referenced story on the topic, a Health Center based in Springfield sent out an email about a support group to their bariatric surgery patients. While they acted in good faith, the email made every recipient’s email address visible, which resulted in many complaints, as it is a HIPAA violation.
It is no coincidence that there are several email HIPAA rules regarding compliance. In HIPAA terminology, these are called “administrative” and “physical” safeguards:
- Emails including medical records can only be sent to patients who are the subject of the information.
- Your emails must have a proper authentication and encryption solution to guarantee that only the recipient and nobody else can read the records.
- You can only send out the minimal amount of information for medical purposes at a single time—this is known as the “minimum required” principle in the case of electronic communication.
- According to local law, all emails containing medical data have to be retained for years. Today it is the individual’s right to demand information about disclosures of protected health-related information, which means that your organization is obliged to keep HIPAA-compliant emails for fixed terms.
So, all in all: to what emails do you have to apply HIPAA requirements as a health care provider?
Basically, to all messages in which your nurses or doctors are sending medical records via email. But, of course, there are exceptions: as a general practitioner, you can send out a bulk email about seasonal flu-shot availability without security precautions. As long as you do not include any of the 18 personal identifiers classed as protected in the text, such as names, social security numbers, dates of birth, addresses, etc.
HIPAA email encryption requirements: a short review
HIPAA email requirements do not force you per se to apply true end-to-end encryption to all your messages and data despite all the previous limitations.
Consequently, sending medical records without encryption within your organization is okay. If you have adequate cyber security on your servers and you follow protocols all the time.
Take “all the time” literally. First, you have to ensure that nobody can access the computers, just the doctors or nurses intended to read the plain text messages in your office. Also, nobody can be present in the room when they access medical records.
In theory, outbound communication can also occur without encryption, according to HIPAA., if you meet specific requirements:
- You have informed all your patients in advance and in full about the risks of email communication.
- You also informed them about other, more secure ways of communication.
- They have stated that despite liabilities, they choose the less secure option.
- They consent to the above in some trackable and provable way.
Not checking these criteria during an unencrypted email communication with medical records can imply a direct HIPAA violation.
How to make your emails HIPAA compliant?
You should know that even though an infraction might look harmless, it can lead to a complaint and violation fees that vary between $100 and $50,000 per violation. Transgressions are collected into four categories with a maximum of $1,500,000 per year in each(!) category. Therefore, the best practice is to perform all your email communication following maximal security standards.
- Choose a 3rd party email provider using BAA (Business Associate Agreements) and reliable encryption standards like AES.
- Improve the security standards within your organization by enabling two-factor authentication and screen locks on corporate devices. It is a plus to set up a user administration system to ensure the separation of roles and logging of your files.
- Apply true end-to-end encryption to all of your data or emails with an encryption plugin like the one provided by Tresorit.
Is Gmail HIPAA compliant?
As the world’s biggest 3rd party email provider, with more than 1.5 billion active users, Google seems like a safe choice at first glance for business purposes, even for medical practitioners. But in reality, the free version of Gmail is not HIPAA compliant, and even Google makes no secret of the fact. In addition, sending PHI via Gmail without end-to-end encryption is against Google’s own Terms of Service.
Despite this, you can find tools to make Gmail HIPAA compliance a reality. To do so, switch to a paid Google Workspace account, and activate Gmail S/MIME encryption for your messaging. Also, sign a BAA with Google because by letting you send PHI with Gmail, the company will share the responsibilities with your company as a business partner. That requires a HIPAA compliance audit from Google before the contract on the grounds of both the “administrative” and “physical” safeguards mentioned above.
But before you do so, you have two be aware of three essential facts:
- Google’s BAA will limit the company’s responsibilities to only when your PHI emails are behind Google’s firewalls and cyber security system. So, you are responsible for securing access to it once on your patient’s device. This means you have to look for a HIPAA compliant Gmail encryption add-on as an extra layer of security.
- Google S/MIME has a critical weakness. Its complex encoding system is only active when both the sender and the recipient use a Google Workspace account. In other cases, security standards fall back to the simpler Google standard TLS encryption, an easier target for hackers.
- While with a signed BAA, you can use Google apps according to HIPAA requirements, it will be your responsibility to uphold compliance as a whole according to HIPAA standards concerning your communication.
An easy-to-use HIPAA compliant email encryption – Tresorit plugin for Gmail
Luckily there are easier ways to send PHI emails if you want to stick with Gmail. You can use options such as Pretty Good Privacy’s Gmail encryption plugin for work. That can safeguard your messages, but only if you have some coding skills and are willing to use encryption software in parallel.
But if you aim for maximum ePHI security with minimum effort, the Tresorit for Gmail plugin is the ultimate tool you are looking for! With its capabilities, you can combine the state-of-the-art cyber security of Tresorit and Google’s Gmail email composer.
With Tresorit for Gmail, you can retain complete control over any attached files by replacing them with secure sharing links protected by passwords in a way that meets HIPAA requirements. While the Gmail plugin does not encrypt the emails themselves, you can rest assured any files shared alongside emails as sent in a HIPAA compliant manner. With Tresorit solutions, you can access files from any device using platform-specific clients or the web client with appropriate safety measurements. You can set up two-factor authorization, check who has accessed shared files, revoke sharing links, or limit the number of downloads allowed on a given file.
As a plus, with Tresorit enabling true end-to-end encryption is so easy. Our Zero-Knowledge authentication practices guarantee the highest level of confidentiality when using our services. No one with who you have not shared a file can access your data, not even Tresorit. This technology makes Tresorit HIPAA compliant and an ideal tool to make SOX or GDPR compliance simple.
Looking for a secure yet convenient way to use Gmail with true end-to-end encryption? Learn more about what Tresorit for Gmail can offer.