The Health Insurance Portability and Accountability Act, also known as HIPAA, requires a certain level of security and standards to be met when dealing with health information which has some organizations wondering whether they can use email and still be HIPAA compliant.
While the use of email is not specifically prohibited by HIPAA, the necessary safeguards are quite robust and can be difficult to implement into more standard or traditional email systems or exchanges. This has led to the rise of specialized HIPAA compliant email providers. Offering a range of services and with different options depending on the desired infrastructure, these solutions combine the functionality and ease of use of more common email programs with the high level of security and associated features required for HIPAA compliance.
The system may be run on IT resources internal to the HIPAA covered entity or hosted by the email service provider itself, depending on the vendor chosen. It is common for existing email addresses to be ported across to the new system so they remain active and in use, reducing the potential for missed messages and ensuring established contacts will not be required to update their address books.
The HIPAA Security Rule and Compliant Email Providers
Any provider that wishes to offer compliant email services must be able to guarantee that they meet and address all relevant security measures that are called for in the HIPAA Security Rule. These measures include the ability to identify users, to control who can access information, to record any modifications or deletions of data, and a method of keeping data secure while it is being shared or transferred.
Only if all of these aspects are present and enabled can the solution be used in a HIPAA compliant manner. There is another crucial element that must also be in place before the tool can actually be used, however; the business associate agreement. The business associate agreement is a contract between the service provider and the HIPAA covered entity that outlines duties and other aspects and requirements of the relationship.
An example of an area that may pose problems even when all the necessary elements – the business associate agreement, access controls, audit controls, etc. – are in place is the actual day-to-day use of the solution. It is the responsibility of the covered entity, not the service provider, to ensure that the system is being used in a compliant fashion. While the provider should make all the necessary options for HIPAA compliance available in the tool, the covered entity must ensure they are correctly configured and implemented.
The covered entity is also responsible for ensuring that all of its members of staff are sufficiently trained in how to use the tool. To ensure that best practices are followed, this should include a wider overview of the potential security issues that can arise from the use of emailing systems, the risk of viruses, and various other activity specific matters. Covered entities should note that many information breaches come about as a result of so-called social-engineering actions, where employees or others are tricked into divulging information or access codes that allow malicious parties to view or otherwise obtain protected health information (PHI).