Using free email providers like Gmail, Yahoo, and MSN are expedient and easy to set up. It’s the reason why some healthcare providers rely on them. While you could stretch to make the argument that these email services can be configured to be “HIPAA capable,” none in the eyes of security experts are HIPAA compliant. And not complying with the safeguards required by HIPAA law can lead to unnecessary violations and costly fines.
What Makes Email Vulnerable
We all send countless emails every day without thinking about it. But from a technological and safety perspective there are several links in the chain, which make email vulnerable to malicious interference. Once an email is sent it moves from your workstation to your email server…then onto your recipient’s email server…from there your recipient’s workstation pulls the message from their server. Along the way, there’s a copy of the email stored on each workstation and server.
To satisfy HIPAA requirements, protected health information must be secure both at rest and in transit. This entails having your email messages protected while resting on workstations and servers, but also being secure until they reach the intended recipient’s inbox. There are paid services, like Google’s G Suite, that claim to be HIPAA compliant, but they don’t encrypt your email all the way to the recipient’s inbox. If your email is not secure while in transit, it is susceptible to theft.
The Business Associate Aspect
A big issue with using free email providers is the lack of business associate agreements. As a responsible healthcare provider, you must have signed agreements with any third-party vendor that handles your protected health information. This means your email and file sharing service needs to sign a business associate agreement in order for them to be HIPAA compliant. Unfortunately this isn’t possible with free email providers and taking a chance on using one could have costly and disaster consequences.
Phoenix Cardiac Surgery found this out the hard way in 2012. That’s when they were forced to pay the Department of Health and Human Services $100,000 for HIPAA violations. One of the company’s abuses— as uncovered by the Office for Civil Rights’ investigation—was transmitting electronic protected health information to its employees’ private email accounts using an internet-based email service and posting sensitive data on a publicly accessible, internet-based calendar service. Phoenix Cardiac Surgery did not have a business associate agreement in place with these vendors, which is a violation of the HIPAA Security Rule.
The Best Way To Secure Your Email
At PCIHIPAA, we offer an email add-on that encrypts your emails and integrates with Outlook, Gmail, and other popular email providers. It’s easy to use, as it allows you to send messages as you normally would. Your recipients are able to view your messages without any software on any browser. With our HIPAA compliant email solution, you can track and verify that your email has been received by the intended patient. We utilize military-grade end-to-end encryption which ensures that cybercriminals aren’t able to intercept your sensitive data and disrupt your business.
We’ve all heard horror stories about protected health information being compromised via email. It’s simply not worth risking HIPAA violations and fines to use an unsecure email provider. Call us today at 800-588-0254 and find out how we can set up an email solution that gives your practice peace of mind and 100% assurance of being HIPAA compliant.