Posts

How to send a HIPAA compliant email

These days, it would be unthinkable to operate any kind of business without email or other forms of electronic communication. And it’s a pretty standard practice among businesses of all sizes to at least be aware of security issues such as phishing, address spoofing, viruses, and spyware. For businesses that deal with protected health information (PHI) however, there is an added layer of security required.

We’re talking about the Health Insurance Portability and Accountability Act, most commonly known as HIPAA. HIPAA sets the standard for protecting sensitive data. All businesses dealing with PHI are required to make sure that physical, network, and administrative security measures are in place and kept in compliance.

Included in these considerations is handling HIPAA compliant email.

What’s involved?

HIPAA requires that PHI is secure both when it’s being sent and when it’s not. The email must be protected by levels of unique usernames and passwords for PCs and servers, and secure encryption procedures each time the information is sent or received.

This means that it’s not recommended to use common, free internet-based email services. If you do use an internet-based email service, you must have a signed Business Associate Agreement (BAA) which confirms that administrative, physical, and technical safeguards are being maintained. The BAA will generally cover the host server responsibility, but you’re still required to protect every other part of the email or transmission chain.

Encryption, particularly for stored files, is also your responsibility. There are many options available for encrypting data on your own computers, and failure to take steps to use encryption could result in heavy fines.

How to keep email secure

What to consider when setting up secure email procedures

  • Many email servers will encrypt emails from sender to recipient. If the recipient is not a client of that server, they are given the option to securely connect to the server in order to receive the email.
  • Patient portals allow for secure storage of PHI and other communications. An email is sent to the recipient informing them of an incoming message. They can then log in and securely receive the message.
  • When setting up your own email accounts, use strong password protections and possible 2-factor authentication.
  • While email disclaimers and confidentiality statements aren’t a guaranteed protection for you, said disclaimers should clearly state that the information sent is considered PHI and should be treated as such. This is not a replacement for encryption or other security measures.

What about the patients?

HIPAA realizes that you have no control over the email clients and security patients may use. The regulation states that as long as you’re using secure email and encryption on your end, you are not responsible for what happens on the patient’s end of things. Well… there are a few conditions:

  • You must have a fully secure, alternate option for patients to receive information (such as a patient portal).
  • You must inform patients that their personal email clients may not be secured. If they still want the information, it’s all right to send it.
  • You must document the above conditions.

Protecting different types of emails

Not all emails are sent from a provider’s office to a patient. Emails sent between doctors located in different locations, and not sharing a secured network or email server must also use encryption. Likewise, doctors who email PHI from their home computers to their work accounts must use encryption to avoid HIPAA violation. While in-office emails using the same secured email server don’t have to worry about additional encryption, remote access situations must follow encryption procedures.

In conclusion

Don’t become overwhelmed by the many requirements for sending a HIPAA compliant email. Consider working with a managed IT services provider experienced in HIPAA compliance and technology.

6 top HIPAA compliance myths and the truth

One of the biggest potential challenges when it comes to medical IT is HIPAA compliance. It’s true that HIPAA is a serious matter that you must handle with care. But don’t let concerns about HIPAA scare you away.

Here are 6 common HIPAA myths and the truth behind them.

Myth: You only have to think about it once

It would be nice if HIPAA was something you only had to deal with once. But it is not something you can put into place once and then forget about it.

In truth, HIPAA is an ongoing responsibility and companies need to continually monitor their own compliance. As with most types of issues that require attention and motivation, people may start taking shortcuts over time. Make sure your company has a well-defined and well-funded plan to address HIPAA compliance.

Myth: HIPAA violations only affect medical information

The entire purpose of HIPAA is supposed to be protecting the privacy of individual health data. But according to an article in CIO magazine, violations often reflect other security risks as well. Many companies have to outsource their IT and records management functions and not all companies are equally diligent.

A company that violates HIPAA regulations is also more likely to put other sensitive data at risk as well. Corporate security breaches, whether of HIPAA information or credit data, can result in significant fines and public relations nightmares. Read here to learn more about why you need a disaster recovery plan.

Myth: You don’t have to worry about enforcement

There’s more than one government agency in charge of enforcing HIPAA compliance. Several government agencies are obligated to ensure that companies are compliant with the law. Some of the government offices who check to make sure you’re compliant with HIPAA include the following:

  • Office for Civil Rights
  • Department of Justice
  • State and federal attorneys general
  • Federal Trade Commission

You don’t need to be terrified of the government’s involvement, but you also can’t take for granted that it will be okay at any point to take security management less seriously. If you need some outside help setting up a compliant system consider an expert IT consultant.

Myth: Only physical records and personal contacts matter

It’s true that you have to be mindful of privacy when discussing patient medical records. It’s also true that you have to protect the security of physical records. But even cloud-based storage systems need to be compliant with HIPAA regulation.

Related: HIPAA compliance in the cloud? 3 things you need to know.

Myth: Some people don’t have to worry about compliance

Everyone who comes into contact with medical records is responsible for maintaining their privacy. Some people may have the misconception that only the initial healthcare provider has to maintain the patient’s privacy. But in today’s healthcare climate, records can pass through many sets of hands.

According to Forbes, each person who has contact with patient records is responsible for keeping them private, including subcontractors, data centers, and other third parties. That also includes claims processors, data entry, utilization review, and practice managers, to name just a few.

Myth: Your data is too insignificant to matter

Some companies think that they’re too small to matter. They mistakenly think that hackers are only concerned with large companies or personal credit card information.

According to the blog Security Metrics, personal health information is much more valuable than credit card information. The former collects a couple hundred dollars for each health record, while credit card numbers only go for a dollar or two. Fortunately, there are best practices you can follow to protect your data,  including updating software and improving staff training.

Being HIPAA compliant isn’t optional and it matters to every healthcare business. But with careful attention and good network security, you can protect both your patients and your business.

HIPAA compliance in the cloud? 3 things you need to know.

We often hear from clients that they have concerns about maintaining their HIPAA compliance mandate should they want to transition their IT to a cloud-based approach. And, of course, many of their concerns are valid. HIPAA compliance matters.

The cost of non-compliance includes steep fines and potential legal penalties. And, what’s more, a huge drop in confidence from the consumers who trust your company with their Protected Health Information (PHI).

Here are 3 things you need to know about maintaining HIPAA compliance in the cloud.

Related: 3 steps to HIPAA security rule compliance

Business associates have mandates too

There are a variety of cloud solutions: public, private, and hybrid. And each will have their own unique set of characteristics. But no matter what solution a HIPAA-regulated company decides to leverage, one thing doesn’t change.

Any potential partner who will store PHI is considered a business associate by HIPAA. This means you’re required to execute an agreement with that associate that outlines permitted uses and disclosures.

Likewise, should that business associate sub-contract out to another entity such as a third-party data center, they must also execute an agreement with that entity that outlines the same permitted uses and disclosures. Both entities are then liable for maintaining HIPAA compliance.

The good news is, when a company’s data is stored in a third-party data center, that center will likely have military-grade security that massively restricts physical access. What this means in terms of remote access to said servers depends on the specific type of cloud solutions the healthcare provider engages.

It’s likely that the right cloud services provider already has systems and policies in place that meet HIPAA compliance.

Related: HIPAA omnibus rule

You still need to restrict access

Moving your clients’ PHI into the cloud doesn’t relieve you of your liability to protect that data. That includes the electronic protected health information (ePHI) the cloud service provider handles.

You still need to instate proper levels of password complexity to control access to ePHI on the cloud servers. Also, you need required standards on how often employees update their passwords. This should include policies on logging out of unattended devices. Basically, any policies you kept in place at the office-level need to remain in place using the cloud. This is key to maintain your HIPAA compliance in the cloud.

Related: Medical ransomware attacks on the rise

Periodic audits should be standard to your approach

This one is not only mandatory to maintain your HIPAA compliance in the cloud, it should also be obvious to your business associate. As part of the business associate agreement you create, you need to be sure that your cloud service provider and their subcontractors perform periodic audits of their systems and approach to ensure compliance.

Such audits have the power to save both you and your business associates from expensive violations.

Conclusion

HIPAA compliance in the cloud may sound complex. But with the right partner and the right approach, you can enjoy the conveniences of cloud computing and maintain HIPAA compliance at the same time. If the subject sounds like a lot to take on, consider seeking out professional advice and help.

5 ways companies violate HIPAA compliance (and how to avoid them)

HIPAA compliance can be an Achilles’ heel for the companies who fall under its regulatory umbrella. And rightfully so. After all, the protected health information (PHI) it mandates is among the most sensitive data that businesses in any industry handle.

Failure to comply can lead to large fines and legal penalties. Or even drive companies out of business altogether over time. That’s why it pays to be prepared for the threats. But preparation is a tall order when the threats come from every direction, including external intruders and the very people you trust to access it.

Here are 5 ways that companies violate HIPAA compliance, and how to avoid them.

Malware and hacking

As with any industry, malware and hackers are a real concern for HIPAA-compliant companies. But the risks are even higher when data loss results in fines and legal action, in addition to lost productivity or downtime.

The good news is, there are a number of strategies you can take to keep your network safe and meet compliance mandates. Four of the most direct methods include:

  1. Requiring updated passwords on a minimum quarterly basis.
  2. Making sure your company has adequate firewalls in place to protect your network.
  3. Requiring a base level of password complexity.
  4. Making sure software is updated at all times to shore up security vulnerabilities.

Malicious (or absent-minded) insiders

We’d all like to believe we can trust the people we work with. Unfortunately, this isn’t always the case. Often it’s the very people we allow inside our networks who do the most damage. Sometimes for profit.

However, there are a few solid strategies you can take to minimize exposure:

  1. Practice the principle of least privilege for employee access to PHI.
  2. Use keycard access points to control access to hardware portals. Never provide access to employees who do not require it.
  3. Track and monitor who accesses PHI, and when.

Lost or stolen devices

With the rise of cloud computing, businesses frequently use portable devices such as tablets or laptops. This doesn’t have to lead to a compliance issue should one of these devices be lost or stolen. But it can. Here are two strategies to avoid violating compliance should one of your devices be lost.

  1. Install and maintain remote wipe programs on any devices that can access PHI. This is particularly important if your employees will ever access PHI from public networks (consider a policy against such use). Require automatic logout / session timeouts for sensitive programs.
  2. Require all devices that access your network to be password-protected.

Improper device or records disposal

Does your office use devices such as copy machines? Often these devices save document copies on their hard drives. That means they may retain copies of peoples’ PHI. What do you do with outdated records, and how do you handle document transfer risks? Here are a few tips:

  1. Have a plan to clear temporary files from all devices that handle copies of any files or messages containing PHI.
  2. Always shred discarded hard copies or securely store outdated / old records that are no longer actively used.

Third-party disclosure

The nature of PHI is that this sensitive information often needs to move from office to office or organization to organization during the course of patient care. These transfer points are high-risk areas where you can violate compliance and compromise patients’ data. Try these strategies to make records transfer more secure:

  1. Have a plan in place for transferring records in a secure, encrypted or otherwise protected manner.
  2. Require a business associate agreement with any agency that will exchange information with your organization. This agreement should clearly outline responsibilities, protocols and best practices.

Conclusion

It’s clear that HIPAA compliance is a complex issue. You probably need professional planning and security to prevent data loss and the resulting fallout. It’s highly advisable that you consider reaching out to a Managed Services Provider (MSP) with HIPAA experience who can guide you through the process.

They can also provide strategies and solutions to achieve maximum protection for your unique organizational needs and risks. Given the steep fines and extreme cost of downtime or data loss, this will likely save you money in the long run.