HIPAA Compliant Email 2017 FAQ

HIPAA Compliant Email 2017

How HIPAA compliant is your email? Are you using email to transfer PHI in your medical practice? Which is the best method to communicate electronically? Are there certain types of email services that are compliant. Which is the best way to mitigate our HIPAA breach risk? We answer your questions below.

Are Emails HIPAA Compliant?

Answer: NO. All free email services such as Hotmail, Yahoo mail, Gmail etc. are not secure, and no patient health information should be sent through them. Not only is it non-compliant to send text-based sensitive PHI information over email, it is a serious risk to send PHI-related attachments, files and images as well.

HIPAA compliant systems will ensure that they comply with the following. Always ask if the system is HIPAA secure (preferably encrypted). The system should offer a  BAA (Business Associate Agreement) which permits you to use the communication platform in HIPAA compliant way.

 Traditional email services are not HIPAA-compliant. Sending patient information (even non-clinical such as home addresses, phone numbers and other personal identifiers) puts your practice at risk. The minimum fines for a security violation starts at $50,000. 

Is it fine if a patient is sending me email, and I simply reply back?

Answer: NO. If patient is sending you email using one of the regular email service providers such as Gmail, Yahoo, Hotmail etc., it is your duty to inform them first that this channel is not secure, and ask their consent to respond on an insecure channel. Also, you need to make sure that you document your email conversation for record keeping. This creates not only more work for your staff, but confusion (and possibly even concern) on the part of the patient. 

Here is the extract from the official HIPAA OMNIBUS FINAL RULE (page 5634) —

We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.

Are my image attachment, fax and MRI scans sent to emails secure?

Answer: NO. Today, pretty much everything can be directed to your email. For example, faxes are sent as emails, voice messages are sent as emails etc. To comply with HIPAA, anything sent electronically containing patient health information—image, text or voice, should be encrypted before sending.

So do all emails with patient health data must be encrypted?

Answer: NO. Email sent within the office using a secure service does not require to be encrypted, having said that, emails sent to different branches have to be encrypted in order to remain compliant. As a rule of thumb, avoid sending unencrypted email to any friend or staff or business partner on personal email IDs.

So, it's best to play it safe.

How do I communicate securely and effectively with my patients and staff?

Here's where we come in. Klara provides a HIPAA-compliant, secure platform for doctor-staff-patient communication. It's simple, streamlined and transparent. Not to mention, the Klara platform enables messages to be tagged, organized and triaged, enhancing your practice and staff operations.

Klara is the #1 choice for healthcare providers. Schedule a brief introductory call with a member of our team to learn more.