Email is becoming one of the more popular ways for patients to communicate with healthcare providers.
In fact, healthcare emails in general have one of the highest email open rates among any industry.
But the rise of email as a primary form of communication presents challenges for healthcare providers in terms of protecting sensitive patient data when delivered electronically.
Not only do providers have to worry about oversharing patient information when they write and receive emails, they also have to consider how things like email security and encryption might impact the sharing of sensitive patient information.
Thankfully, HIPAA has some specific guidelines for managing electronic communications, though it still falls on every practitioner (and staff member) to put these guidelines into practice.
Here’s what to know about HIPAA and email.
What Does HIPAA Say About Email?
HIPAA’s Privacy Rule governs best practices for the type of information that can be shared.
According to HHS, it offers guidelines for addressing “medical records and other personal health information and applies to health plans, health care clearinghouses, and […] health care providers” using written, verbal or electronic communication.
Its related provision, known as the Security Rule, specifically sets security standards for managing and discussing healthcare electronically.
The Security Rule requires that all healthcare providers implement safeguards both administratively, physically, and technically, for all electronically shared patient data.
There are five additional provisions that providers must consider when using email:
- Access Control — Who can view or access emails to/from patients?
- Person or Entity Authentication — Who or what can verify that providers and staff members using email are who they say they are?
- Integrity — How are emails being stored so that they’re safe from third parties?
- Transmission Security — Are emails from your email service provider encrypted?
- Audit Controls — Is there a paper trail for every email sent and received?
With so much to worry about in terms of protecting patient information via email, it can be confusing to know whether or not you’re being compliant.
To summarize HIPAA’s guidelines on email compliance, there are a few key takeaways from the Security Rule and Privacy Rule:
- You are allowed to send and receive emails from patients
- You must let patients know that there are risks associated with sharing medical information electronically
- You must respect patients who don’t want to communicate via email
- You must take certain steps to secure patient emails
Here’s a quick look at how these guidelines will play out in the day-to-day operation of your practice.
Sending and Receiving Emails is Okay, But…
HIPAA’s Security Rule is overseen by the Office for Civil Rights, or OCR.
According to the OCR, “Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.”
In other words, if a patient emails you first, you can assume they’ve consented to further emails.
They may tell you they don’t want to communicate via email later on (in which case you’ll have to revert to their desired form of communication), but for the most part you’re in the clear if they’re the ones who make contact first.
The easiest way to get permission is by having patients agree to receive emails from your practice on their intake forms.
Patients should also be given the option to communicate only by email if that’s their desired form of communication.
Email Access Should Be Protected Internally
Three of the five provisions for HIPAA’s Security Rule (access control, entity authentication and integrity) deal with protecting patient emails internally.
Access Control — HIPAA section 164.312(a)(1) — requires the assignment of a “unique name and/or number for identifying and tracking user identity.”
What this means is that you need to create unique usernames and passwords for staff members who have access to patient emails.
In some cases, practices will have a shared login for a single clinic email account, but it’s important to note that as a general rule, HIPAA discourages the use of shared logins.
A limited number of staff members should have access to your practice’s email account.
Entity Authentication — HIPAA section 164.312(d) — also states that there should be additional verification that staff members who have access to emails are who they claim to be.
Practically, this means that only certain staff members should have access to emails.
It also means that emails should only be accessible by secure login, not stored on any other database or in another file where non-authorized personnel have access to them.
Integrity — HIPAA section 164.312(c)(1) — stipulates that there should be policies and procedures in place to “protect electronic healthcare information from improper alteration or destruction.”
Practices must use email providers that can securely store emails and prevent outside parties from accessing, altering or deleting them.
For instance, Gmail is HIPAA compliant in some ways, but not all, so you would have to take additional measures to protect patient data if your primary email communication is through Gmail.
Emails Should be Protected by Encryption
Transmission security — HIPAA section 164.312(e)(1) — requires practices to secure their networks against “unauthorized access to electronic protected healthcare information.”
This means that you absolutely must use SSL-based encryption for any and all electronic communications.
If you’re communicating directly through an EHR/EMR system, you most likely already have SSL-based encryption. But “outside” email service providers aren’t always secure.
According to Purple Dog, “When you use a standard POP or IMAP connection to download your email (the most popular method still in use), your username and password is sent in cleartext across the Internet. This means that anyone using the same wireless connection as you, or the same network as you or watching traffic at your ISP – or anyone in a position to see your Internet traffic can potentially ‘intercept’ your network traffic and clearly read your username and password.”
If you’re using a third party email provider (like Gmail) that doesn’t have an SSL-secured option, assume that your emails aren’t encrypted.
Do you need to rush out and get an SSL encryption? Not necessarily.
HIPAA provides provisions for using non-encrypted emails as long as you explicitly tell patients that your emails are not encrypted and there is a risk of exposure (you can do this on your website and/or on your intake forms).
As long as they know and consent, you’re still okay.
Audit Controls — HIPAA section 164.312(b) — also requires that practices have a system for tracking sent and received messages. Again, an EHR/EMR system will do this, while a third party email service provider may not.
Additional Best Practices for Sending/Receiving Emails
To ensure that all of HIPAA’s Security Rule and Privacy Rule provisions are met, consider taking the following steps when using email in your practice:
- Communicate through your EHR/EMR system as much as possible. If a third party email service provider (like Gmail) must be used, ensure that you take the proper steps to encrypt emails and/or alert patients that their information may not be safe.
- Include a disclaimer in your emails (and on your website and intake forms) about patient privacy in emails (a good example can be found here).
- Get patient consent on your intake forms (or any other forms) prior to sending an email message to patients, and keep a record of their consent. Remember, if at any point they want to stop email communication, you must stop sending emails.
- Educate patients about securing their own emails with better password protections and ensure them that you have policies in place that protect email access from the practice’s side of things.
- Put internal policies in place to protect email access. It’s important that only certain staff members have access to emails and that passwords and login information is protected from patients or other outside parties.
By following a few of these best practices, you can ensure that patient data is as secure as it possibly can be.
As the popularity of email as a form of healthcare communication rises, so will the need for protection.
Make sure you fully understand HIPAA’s Security and Privacy guidelines when sending and receiving emails from patients, and that you get permission from patients to communicate via email.
The more information you and your patients have about email privacy, the safer everyone’s data will be.