HIPAA Compliance for Medical Practices
65.0K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Compliance for Email

HIPAA Compliance for Email | HIPAA Compliance for Medical Practices | Scoop.it

Are Emails HIPAA Compliant?

HIPAA compliance for email has been a hotly debated topic since changes were enacted in the Health Insurance Portability and Accountability Act (HIPAA) in 2013. Of particular relevance is the language of the HIPAA Security Rule; which, although not expressly prohibiting the use of email to communicate PHI, introduces a number of requirements before email communications can be considered to be HIPAA compliant(*).

HIPAA email rules require covered entities to implement access controls, audit controls, integrity controls, ID authentication, and transmission security have to be fulfilled in order to:

  • Restrict access to PHI
  • Monitor how PHI is communicated
  • Ensure the integrity of PHI at rest
  • Ensure 100% message accountability, and
  • Protect PHI from unauthorized access during transit

Some HIPAA covered entities have put forward the argument that encryption is sufficient to ensure HIPAA compliance for email. However, HIPAA email rules do not just cover encryption. Encryption alone does not fulfill the audit control requirement of monitoring how PHI is communicated or the ID authentication requirement to ensure message accountability.

Furthermore, some required functions – such as the creation of an audit trail and preventing the improper modification of PHI – are complex to resolve. So, although emails can be HIPAA compliant, it requires significant IT resources and a continuing monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email.

(*) HIPAA compliance for email is not always necessary if a covered entity has an internal email network protected by an appropriate firewall.

HIPAA Email Encryption Requirements

HIPAA email rules require messages to be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.

As previously mentioned, encryption is only one element of HIPAA compliance for email, but it will ensure that in the event of a message being intercepted, the contents of that message cannot be read, thus preventing an impermissible disclosure of ePHI.

It should be noted that encryption is an addressable standard in the HIPAA Security Rule for data at rest and HIPAA compliance for email. That means encryption is not ‘required,’ but that does not mean encryption can be ignored. Covered entities must consider encryption and implement an alternative, equivalent safeguard if the decision is taken not to use encryption. That applies to data and rest and data in transit.

A covered entity must decide on whether encryption is appropriate based on the level of risk involved. It is therefore necessary to conduct a risk analysis to determine the threat to the confidentiality, integrity, and availability of ePHI sent via email. A risk management plan must then be developed, and encryption or an alternative measure implemented to reduce that risk to an appropriate and acceptable level. The decision must also be documented. OCR will want to see that encryption has been considered, why it has not been used, and that the alternative safeguard that has been implemented in its place offers an equivalent level of protection.

Encryption is an important element of HIPAA compliance for email, but not all forms of encryption offer the same level of security. Just as the method of encryption is not specified in HIPAA to take into account advances in technology, it would not be appropriate to recommend a form of encryption on this page for the same reason. For example, a covered entity could have used the Data Encryption Standard (DES) encryption algorithm to ensure HIPAA compliance for email, but now that algorithm is known to he highly insecure.

HIPAA-covered entities can obtain up to date guidance on encryption from the National Institute of Standards and Technology (NIST), which at the time of writing, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. That could naturally change, so it is important to check NISTs latest guidance before implementing encryption for email. NIST has published SP 800-45 Version 2 – which will help organizations secure their email communications.

How Secure Messaging Resolves Issues with HIPAA Compliance for Email

Secure messaging is an appropriate substitute for emails as it fulfills all the requirements of the HIPAA Security Rule without sacrificing the speed and convenience of mobile technology. The solution to HIPAA compliance for email uses secure messaging apps that can be downloaded onto any desktop computer or mobile device.

Authorized users have to log into the apps using a unique, centrally-issued username and PIN number that then allows their activity to be monitored and audit trails created. All messages containing PHI are encrypted, while security mechanisms exist to ensure that PHI cannot be sent outside of an organization´s network of authorized users.

Administrative controls prevent unauthorized access to PHI by assigning messages with “message lifespans”, forcing automatic logoffs when an app has not been used for a predetermined period of time, and allowing the remote deletion of messages from a user´s device if the device is lost, stolen or otherwise disposed of.

The Benefits of Secure Messaging

The primary benefit of secure messaging when compared to email is the speed at which people respond to text messages. Studies have determined that 90% of people read a text message within three minutes of receiving it, whereas almost a quarter of emails remain unopened for forty-eight hours.

The communications cycle is further accelerated by the mechanisms to enforce message accountability. These significantly reduce phone tag, allowing employees more time to attend to their duties. In a healthcare environment, this means less time waiting by a phone and more time providing healthcare for patients.

This acceleration of the communications cycle also reduces the time it takes to admit or discharge a patient, how long it takes for prescription errors to be resolved, and the length of time it may take for invoices to get paid. Ultimately, secure messaging is a lot more effective than email, and less trouble to implement than resolving HIPAA compliance for email.

Encrypted Email Archiving for PHI

Inasmuch as the implementation of a secure messaging solution is an appropriate alternative to email, covered entities are required to retain past communications containing PHI for a period of six years. Depending on the size of the covered entity, and the volume of emails that have been sent and received during this period, the retention of PHI can create a storage issue for many organizations. The solution to this potential problem is encrypted email archiving for PHI.

Vendors providing an email archiving service are regarded as Business Associates, and have to adhere to the same requirements of the HIPAA Security Rule as covered entities. Therefore, their service has to have access controls, audit controls, integrity controls, and ID authentication in order to ensure the integrity of PHI. In order to comply with HIPAA email rules on transmission security, all emails should be encrypted at source before being sent to the service provider’s secure storage facility for archiving.

The biggest advantage of encrypted email archiving for PHI is that, as the emails and their attachments are being encrypted, the content of each email is indexed. This makes for easy retrieval should a covered entity need to access an email quickly to comply with an audit request or to advance discovery. Other advantages include the releasing of storage space on a covered entities servers and that encrypted email arching for PHI can be used as part of a disaster recovery plan.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Your Guide to Staying HIPAA Compliant When Emailing Patients 

Your Guide to Staying HIPAA Compliant When Emailing Patients  | HIPAA Compliance for Medical Practices | Scoop.it

In the age of electronic communication, there is the ever-present concern of compromised data. Data can be intercepted and accessed by third parties with their own agendas.

Naturally, the information between patients and their healthcare providers is quite sensitive. Neither party wants that data available to the public.

In response to growing concerns of data interception, Congress passed HIPAA: the Health Insurance Portability and Accountability Act. One of the purposes of this legislation is to protect a patient’s privacy.

Email is not secure

In general, email communication is not secure for two reasons:

  1. The data isn’t encrypted by default.
  2. It’s impossible to tell if the receiver is the intended recipient.

Encryption is the process of modifying data to make it unreadable, but in a way so that it can be returned to its readable state. The reorganization requires a cipher (a code) that both sender and recipient know. Anyone without the cipher will only see gibberish.

By default, most email clients do not encrypt your communications. This includes the popular web-based email clients like Outlook, Gmail, and Yahoo. However, some of these services offer paid features that comply with HIPAA regulations.

Furthermore, there’s never a foolproof way to ensure that the intended recipient is actually the one reading the email. Perhaps the patient checked his mail in a public place with wandering eyes or left his phone somewhere by mistake.

Nevertheless, modern patients expect instant communication, so you can’t avoid emailing. For many patients and practices, email is becoming the preferred method of communication.

Here’s how to stay compliant with your electronic communications.

Encrypt everything

Any piece of electronic data is required to be encrypted, including physical documents scanned to a computer. It’s a simple process to have a scanned document/image sent to your storage location via encrypted email. Speak with your IT professional to set this up.

Protected health information (PHI) must be protected at rest and transit. This means it must be secured during transmission across networks or the Internet and when it’s stored in drives at workstations and servers.

The person conducting the transmission is the liable party. As a non covered entity or business associate, a replying patient isn’t bound by HIPAA regulations. You are only responsible for your emails’ security.

While HIPAA does not require that you encrypt every device and storage location, it would be silly not to. Encryption is cheap, easy, and can protect you from embarrassing mistakes and tedious litigation. Even if you technically followed the rules, you could still upset your patients if data were exposed.

It isn’t necessary to use a dedicated service to send HIPAA compliant emails. These services work, but with some added expense.

Some email clients allow for configurations that satisfy the law. For example, the desktop client Microsoft Outlook offers an encryption option under Security Settings. If you then enable Internet Message Access Protocol (IMAP) and choose to delete emails from the server (and store them solely on your local disk), you can guarantee no chance of interception.

While encryption is important, it’s worth mentioning that HIPAA doesn’t require you to encrypt interagency emails. If you send an email to a colleague on the same secure server, no encryption is necessary. However, best practice is to encrypt everything to be safe.

If a patient is unable to accept encrypted communications, they can waive their right to privately receive emails from you. In this case, you can use any means of communication that works for you and the patient. Just make sure to have them sign a consent form and save it.

Get the patient’s consent

Consent is an important part of privacy. You can ensure you have the right contact information and protect yourself from lawsuits by getting permission in writing from your patient before you correspond through email.

On the form, explain to the patient the inherent risks of electronic communication. Offer some advice on safeguarding their computer to ensure their emails aren’t accessed by other people.

I recommend having your attorney evaluate a consent form before you send it to your patients.

Here’s a template to give you an idea of what it looks like. For best results, use an online intake form with e-signature capabilities (like ours).

Once you have the consent form, be sure to keep it safe. If the patient ever blames you for a privacy breach, you’ll want to be able to show that you had their permission.

When a patient initiates an email conversation, it’s safe to assume they permit that type of communication (unless they have previously expressed otherwise). Still, you must treat secure these emails like any other.

If a patient hasn’t agreed to communicate electronically, never contact them through email.

Include a privacy statement with each email

Every email you send should conclude with a privacy statement. The statement should notify the receiver that the email is inherently insecure, express that the content is strictly confidential, and tell them who to report the email to if they are not the correct recipient.

The purpose of this statement is to remind the recipient every time that their correspondence isn’t 100% safe. If they choose to reply with confidential information, they are doing so at their own risk. Further, it encourages parties who shouldn’t read the email to report the miscommunication.

If your email needs are simple, this can be done by adding a signature to your emails through your client. If you work in a larger practice, speak with your IT professional to ensure that all emails include this statement.

That said, email disclaimers are not a substitute for properly encrypted PHI emails. The purpose of the disclaimer is simply to inform. It does not absolve you of responsibility in any way.

Use an email provider that signs a Business Associate Agreement

A Business Associate Agreement is a HIPAA requirement for email providers. There are countless services that specialize in HIPAA compliant communications for healthcare providers. Each come with their own features.These agreements do not come standard with free email clients, but many paid versions offer this service.

If a provider does not sign this agreement, they are noncompliant. Do not assume an email service provider has signed an agreement unless it is clearly advertised on their website.

Develop an office policy

It’s important to have a clearly defined policy for your staff or colleagues regarding protected health information (PHI). A casual discussion isn’t enough. You need procedures.

In your documentation, include which types of information may and may not be transmitted electronically. You may restrict certain types of PHI (mental health issues, for instance) to in-person meetings only.

Document who may and who may not send or receive confidential patient information. For instance, you would allow a doctor, nurse, or other healthcare provider to discuss health matters with a patient, but not the receptionist, administrative assistant, or billing department. These restricted parties should only contact patients regarding administrative issues and immediately notify healthcare staff if a patient mentions medical information.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.