If you own a small business related to healthcare, it’s important that you make sure your email communications to your patients, vendors and others are HIPAA compliant (Health Insurance Portability and Accountability Act of 1996).
HIPAA is a set of federal standards enacted in 1996 to protect the privacy of patients’ medical records and other health information. It targets covered entities, such as health plans, doctors and hospitals, and in 2009, HIPAA was amended to include “business associates,” such as the billing, medical transcription or answering services you may use.
“Small businesses must comply with this complicated health law,” says Jonathan Tomes, an attorney and national HIPAA compliance consultant. The first step is to perform a risk analysis of your communications, such as your website and email communications. With email, you’ll need to assess whether your email service could be hacked or otherwise compromised by an identity thief. “It’s happened to millions of people,” Tomes says.
To prevent such security breaches, HIPAA requires that your email service provide “reasonable and appropriate security.”
The trouble is, HIPAA doesn’t define what “reasonable and appropriate security” is. The regulations are vague and complex. However, Tomes offers these guidelines for sending secure email for health information.
Consider HIPAA compliant email encryption
To protect your customers and patients from security breaches, consider adding encryption to your email service. Microsoft 365 by GoDaddy's Business Premium product is an example of a low-cost email option to support HIPAA compliance.
“The regulations don’t say you have to encrypt your email, but if you do, it’s a safe harbor,” Tomes says.
The catch? The person on the receiving end must have a decryption key to read your email. Your decryption key should be randomly generated and at least nine characters — including at least one special character, such as a pound sign or question mark. If your email service is encrypted and can only be decrypted with a complicated decryption key, you likely won’t be liable for a security breach in the event it should occur, according to Tomes.
Offer password protection
In lieu of email encryption, which is the most secure form of email communication for healthcare-related information, consider sending email reminders that link to a secure website with the information your customers need.
Your HIPAA compliant email communications, might say, for example: “Dear Patient: You have a new or unread lab result. To review, please log in to the website,” with a hyperlink to a password-protected patient portal. “Password protection is not encryption, but it might protect you from liability if a security breach occurs,” Tomes says. Tomes has litigated eight such cases. Each one was dismissed because the password-protected emails were considered to be HIPAA compliant.
Say less
Even though you’re not providing explicit patient information in an email reminder to your customers, you can still provide too much information if you’re not careful. “HIPAA-compliant email content should follow the minimum necessary rule,” Tomes says.
HIPAA compliant email is carefully crafted to supply only the amount of information necessary in an email to accomplish the intended purpose.
It’s cryptic for a reason — so that people for whom the email isn’t intended can’t decipher its meaning, but so that the person for whom it is intended can understand it. With that in mind, you may want to avoid including your company’s email signature or logo if it gives away your company’s identity or purpose. You may even want to omit your company name in your email sign-off if it’s too explicit. Instead of “XYZ Fertility Center,” for example, you could simply sign off with “System Administration,” for example.
Train your staff
A HIPAA violation is a criminal offense with up to a $250,000 fine for one violation and 10 years of imprisonment. “It also has civil monetary penalties, the largest of which so far has been $6.8 million,” Tomes says. To avoid exposing yourself to liability for health information breaches, make sure your staff is HIPAA trained.
“Over 80 percent of security breaches that have resulted in million-dollar fines have been caused by staff,” Tomes says. Train your staff so they know not to say too much in an email.
Develop disclosure email policies and templates for every type of health information your staff is apt to send, such as disclosing lab results, appointment reminders and more.
“Spell out your policies and post them,” Tomes advises. If employees breach your email privacy policy because they develop an illness that affects their judgement (it’s unlikely but it happens), there’s a defense that can protect you known as “unavoidable employee misconduct.” Essentially, “if you have a HIPAA-compliant email privacy policy, train your staff and enforce it, you’re not liable if somebody goes nuts — because you did what you could,” Tomes adds.
To learn more about HIPAA and email compliance, check out Tomes’ HIPAA compliance blog and his book, Your Happy HIPAA Handbook.
The above content should not be construed as legal advice. Always consult an attorney regarding your specific legal situation.
