Every day I field questions about HIPAA compliant e-mail, and many days I see or hear something that leads healthcare organizations and their business associates in the wrong direction.
These Myths and Facts can help you make the right e-mail decisions. I have included links to give you more details and so you can see the official information yourself.
MYTH – All e-mail systems are HIPAA compliant.
FACT— FALSE. Free web mail services like Gmail, Yahoo! Mail, Hotmail, and those provided by an Internet Service Provider are not secure and no electronic Protected Health Information (ePHI) should be sent through these systems, either in messages or attachments.
If your practice, or even just a doctor, is using a free web mail service to communicate patient information, STOP NOW, because every message you send is a HIPAA violation - sharing information with a cloud service in the absence of a Business Associate Agreement. To get the right solution, talk to a certified IT professional who understands HIPAA. Check out the 4Med Pro Network if you want one that specializes in healthcare.
MYTH— Any e-mail message containing patient data must be encrypted.
FACT – FALSE. E-mail sent desk-to-desk within your organization, using a secure server on a secure network, does not have to be encrypted. E-mail going to a remote office on your wide area network should be protected by encryption used to set up the secure VPN ‘tunnels’ through the Internet between locations. You can also use dedicated secure circuits that do not go through the Internet. Never send unencrypted e-mail containing patient information to a doctor, any member of your workforce, or a Business Associate, at their personal or business address outside of your network.
MYTH— I cannot send a patient their medical information if they use a free web mail service.
FACT – FALSE. You can, based on 2013 guidance from the US Department of Health & Human Services. As long as you are using a secure e-mail system on your end, the HIPAA Omnibus Rule released in 2013 says that if a patient asks you to send them information at an unsecured system, like Gmail, Yahoo! Mail, Hotmail (or similar) account, (a) you should inform them that their system is not secure, and (b) ask if they still want the information sent to them. If they say yes, it is HIPAA-compliant to send their records to an unsecured e-mail address if you document your conversation and their approval.