As a health care provider or business associate, you’re at the center of a confluence of forceful trends:
This guide for health care administrators and IT managers summarizes what you need to know—and do—to help ensure that your email and other cloud IT services are in full compliance with HIPAA. And it describes how you can do so easily and cost-effectively.
… because email communication is integral to everything you do as a healthcare provider. It connects your staff not just with patients and with each other, but with your many partners as well: insurers, pharmacies, specialists, service providers, and others.
Think how many emails you generate every day: appointments and referrals, insurance claims and authorizations, lab results and answers to patients’ questions, and more. How many contain HIPAA-protected patient health information? And how many of those sensitive emails pass beyond your own presumably secure network—to and from possibly insecure third parties, including your employees’ and partners’ mobile devices? Every such email is a possible point of regulatory vulnerability or violation.
Based on your status as a covered entity under HIPAA, your staff members are authorized to send and receive, amongst themselves, Protected Health Information, or PHI (or ePHI, when in electronic form). But your responsibility for protecting the confidentiality of such information and the privacy of your patients doesn’t stop there. Just like your email, it often goes beyond the security of your network.
Passed by Congress in 1996, the Health Insurance Portability and Accountability Act mandates a set of regulations protecting the privacy and security of patients’ confidential health information, including when and with whom that information can be shared.
A supplemental Privacy Rule regulates the use and disclosure of patient data— whether verbal, written, or electronic—for health care providers, health plans, and health care clearing houses, all known as covered entities. A Security Rule specifically defines security standards for the management of health information in electronic form (ePHI) by covered entities.
The Health Information Technology for Economic and Clinical Health (HITECH) Act (2010) and the HIPAA Omnibus Rule (2013) strengthens HIPAA’s privacy and security rules and toughens the penalties for breaches in patient privacy and health information security.
It’s important to note that covered entities are bound by HIPAA’s privacy standards even if they contract with others to perform some of their essential functions. In other words, your responsibilities and liabilities under HIPAA extend to all your business associates. This includes labs, billing offices, clinical services, and the like. It also includes the providers of your cloud- based IT services.
Don’t assume that all business email systems are compliant. Many systems, including several well-known brands designed for professional or even enterprise-level use, are not.
Chances are, your internal email is safe on your own secure servers. And your email to and from third parties, including all email that qualifies under HIPAA as containing PHI, is probably encrypted, as required by the law. But encryption is not enough.
The HIPAA requirements for your email system and practices fall into three main categories:
And remember, the same requirements apply to covered entities with whom you communicate and share protected information via email. In fact, they apply to any and all persons and organizations to whom you outsource any function essential to your business. Especially cloud IT providers.
Of course, your handling and use of confidential patient health information is not just a matter of email content and attachments.
Ours is an age of digital health records and specialized, collaborative health care and administration. To deliver the best care efficiently and economically, multiple parties, both within and outside your organization, need access to your patients’ electronic health information. But that imposes a complex set of requirements on your IT systems, including:
It’s not as if you wouldn’t want total command and control of your email, patient information, and other systems in any case. It’s just that, under HIPAA, it’s the law— and a very exacting law at that.
Again, it goes beyond email. Under HIPAA regulations, you must be able to track and report on all emails sent outside your network. But you also have to track and verify access to ePHI at every attempt. In fact, you must have systems and procedures in place to record and analyze all activity in your systems that store or use ePHI.
Such audit and reporting capabilities are not just your responsibility. They are also your best protection. They enable you to maintain your systems’ performance and compliance at peak levels and spot vulnerabilities before they blossom into problems. And they give you the data you need to demonstrate your compliance in the event of an external audit or inquiry.