To say email is widely used today would be an understatement. According to some statistics, more than 100 billion electronic mail messages are sent and received each day. It's become the de-facto form of communication among businesses from all shapes and sizes. But it also presents some conflicts pertaining to the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
You can read more about HIPAA by checking out some of our previous blog posts, but the general principle behind this law it to establish a set of standards for protecting the privacy of healthcare patients. This means doctors, dentists, nurses, chiropractors and other professionals in the healthcare field must take the appropriate measures to secure their patients' data from unauthorized use or access.
In order to protect their patients' data from unauthorized use, covered entities must ensure all means opf communication are safe and secure. Whether it's a traditional paper file or a digital file, HIPAA requires covered entities to take certain steps to secure it. The good news is that HIPAA does allow the use of email for communication between a covered entity and patient. As noted on the Department of Health and Human Services website, email is perfectly acceptable as long as the covered entity applies reasonable safeguards.
“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so,” wrote the Department of Health and Human Services (HHS) on its website.
So, what are some reasonable email safeguards in the eyes of the HHS? Arguably, the single most effective safeguard for email is encryption. Sending patient information via email without encryption is just asking for trouble. Someone with nefarious purpose may intercept the message, at which point the practice could be cited for a HIPAA violation. Thankfully, most of the major email service providers now support encryption, adding an essential layer of protection to patient privacy.
Access controls are another safeguard to prevent unauthorized access of patient information on email systems. Covered entities should set up their email service so it requires logging in with a unique username/password. This allows the entity to trace back the origin of emails in the event a problem arises.