If your business communicates with clients or patients of record, business associates or third-party health entities, email is the gold standard for fast and efficient contact and delivery. Services like MailChimp, Constant Contact and GoDaddy Email Marketing make communicating easy and effortless. But if you are using email for all of your company outreach, you could be in violation of HIPAA law if you are not mindful of the restrictions.
HIPAA and subsequent acts
HIPAA (Health Insurance Portability and Accountability Act) was passed into law by Congress in 1996. In 2009 the Department of Health and Human Services added an extra layer of protection to HIPAA law for consumers, and made healthcare organizations, providers, insurance carriers and clearinghouses more liable for inappropriately transmitting electronic personal health information (PHI).
The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009, significantly increased the penalty that could be imposed on violators of HIPAA law. Prior to 2009, penalties for HIPAA law violation could not exceed $100 per infringement, or $25,000 for identical violations of the same provisions. Today there are incremental violation tiers in place, and organizations that mistreat PHI can be fined up to $1.5 million for violations of identical provisions.
Considering how large the penalties have grown, the federal government is taking how your business communicates with healthcare consumers very seriously.
So are you using email to communicate with clients in accordance with HIPAA law?
What HIPAA protects
Emailing PHI information internally on a secure network is not a violation, nor is emailing a remote office on the same secure server. But while the email service you use in your office may be HIPAA compliant, free email services your client or patient might use — such as Gmail and Yahoo — might not be. Thus, using an email template to send communications that contain PHI to a client or business associate is in violation of HIPAA law if it is not encrypted.
In addition to personal health information, HIPAA protects any information linked to an electronic transmission, including fax, PDFs, voice mail, scanned documents and written information.
When a new client or patient purchases a service or visits your office for the first time, you might send them a welcome email.
However, if any identifiable information linking the client or patient to a particular procedure or service is listed or attached to the email, that is in violation of HIPAA law.
When email can unknowingly transmit PHI
Take this real-life example: Individuals who are responsible for purchasing their own health insurance can go online and buy a major medical insurance policy during the open enrollment period each year. When their application is complete and they purchase the policy, it is common for an automatic email to be generated, usually in an email template format, confirming the purchase and submission.
The new health insurance policyholder could possibly receive this email from the website where the health insurance was purchased, the health insurance company they bought the policy through or both.
However, if any attached documents contain the individual’s name, such as a medical ID card or a schedule of insurance benefits, the company that transmits the attachments is in violation of HIPAA law.
In this case, the company should only use email to communicate the submission for insurance was received, and provide account setup instructions to a secure portal for the insurance purchaser to download their documents from.
The HIPAA Omnibus Bill of 2013
Since HIPAA law was established in 1996, technology has dramatically evolved. With the recognition that email and data transmission are primary forms of doing business, the HIPAA Omnibus Bill became an addendum to HIPAA law in 2013. This bill gives healthcare consumers freedom to receive their personal health information if they understand and acknowledge the risks associated with unencrypted forms of communication. If a healthcare entity gets consent to communicate outside of the original HIPAA standards set forth in the law, the healthcare entity is not held responsible if there is a breach once the information is transmitted to the consumer’s unsecure email.
Steps to make email compliant with HIPAA law
With a little analysis of your current business communications strategy, you can ensure email outreach to your clients or patients is safe and compliant.
Not sure if your email communications are in compliance with HIPAA? Start with these steps.
- Business entities should first conduct a risk assessment to determine if any manual or automatic communications being sent through email templates are in violation of HIPAA law. If violations are found, cease email communication immediately and document processes.
- Determine if email is the only method for delivering communications. If so, investigate outside encryption services. Encryption is one method of rendering PHI unusable, unreadable and indecipherable to any hackers seeking unauthorized access. Note: This can be a solution for business-to-business communications, but can be more difficult for clients or patients to use.
- If PHI is unnecessary in any email template, such as using a first and last name in the greeting, de-identify information to be compliant.
- Insert action buttons and links into email templates that advance readers to password-protected websites to obtain their PHI documents.
- Ask clients if they want documents sent to them unencrypted, and explain the implications in accordance with the HIPAA Omnibus Bill. Save all documentation on file.
- Sign up for Microsoft Office 365 from GoDaddy’s Business Premium plan and forget the worry. With just a few simple steps, GoDaddy can connect your business with HIPAA-compliant Microsoft Office 365, safeguarding your clients’ and patients’ PHI.
The above content should not be construed as legal advice. Always consult an attorney regarding your specific legal situation.