• by Ray Schultz , Columnist, June 11, 2024

Healthcare organization must walk a fine line when using email for promotion and communication.  

“It has become increasingly clear that many aspects of HIPAA compliant email are either not understood or badly implemented, leaving a large number of healthcare organizations of all sizes wrongly believing their email is both secure and HIPAA compliant,” The HIPAA Journal writes. 

Case in point: the Office for Civil Rights now sees around 60,000 data breach notifications per year, many concerning wrongful disclosures of personal health information (PHI). These are caused by email failure, The HIPPA Journal notes.  

How does a firm remain compliant with HIPPA (the Health Insurance Portability and Accountability Act)?

First, they have to create policies and procedures, including getting each patient’s formal consent to communicate by email. And, they should ensure that all emails are fully secure.  

Of course, patient information must also be secured. 

“Emails and their attachments need to be secure from when they leave your device to when the intended recipients read them,” the advisory states. “Without this end-to-end security, sending an email is similar to sending a postcard where the content is visible to anyone who handles it on its journey through the postal system.” 

Email retention is also critical, although it is not specifically included in HIPPA rules – for three reasons: patients might request an accounting of disclosures of PHI; the emails might be needed for a legal defense in the event of litigation; state laws can require that emails be retained for a period of time.  

Organizations using email must also implement audit and access controls to ensure the integrity of the email system. And they must provide employee training.  

It doesn’t matter whether paid or free email services are being used. None of the free services are compliant “and cannot be made so,” the article reports. Moreover, “Out-of-the-box email solutions,  including Google Workspace and some versions of Microsoft Office, are not HIPAA Compliant or fully secure in their default settings.”

For the full report, click here.