1) You Don’t Have Patient Consent<\/h2>\n
The U.S. Department of Health and Human Services (HHS) has given explicit guidance<\/a>, on several occasions, that patients and providers can use unencrypted email for protected health information (PHI), so long as the patient is aware of the security risks and still prefers email over other communication options.<\/p>\n The flip side of this\u00a0guidance is that a failure to meet any of\u00a0its stated criteria implies an immediate HIPAA violation. So ask yourself, for every patient you’re emailing:<\/p>\n Patient\u00a0preference is a powerful tool for HIPAA compliance, but that also means that its absence is a powerful liability. Don’t skip this easy compliance step.<\/p>\n Business Associate Agreements<\/a> (BAAs) are\u00a0important legal documents\u00a0that are required by HIPAA and that help ensure that your business partners treat your\u00a0patients’ PHI with the same care and dedication that HIPAA requires of you. In the case of email, you want to know that your email provider has systems in place, such as modern encryption,\u00a0to safeguard your important data, and a BAA will put those assurances in writing.<\/p>\n Even if you have patient consent to use insecure email, skipping out on getting a BAA with your email provider may put you in violation of HIPAA. Your patient\u00a0may have agreed to the technical limitations of email, but they haven’t given you a free pass to ignore\u00a0other HIPAA requirements, such as the administrative and legal safeguards that a proper BAA would provide.<\/p>\n It’s simple to do, and you should have a signed BAA with your email provider.<\/p>\n Surprise! This may be the “gotcha” item for many of you, so read carefully. At Spruce, we hear from many providers\u00a0who “have secure email with a BAA,” but it often turns out that what they actually have is\u00a0regular<\/span> email with a BAA.<\/p>\n It is common for email providers to offer a BAA that covers their storage and internal handling of your PHI but that leaves all responsibility for message transmission on you, the user. This isn’t malicious; it’s just a reflection of the email provider’s inability to control the Internet beyond its own walls. Despite recent advances, standard email transmission is fundamentally unencrypted and insecure, so no company will sign a BAA that promises otherwise. Unfortunately, you’re still responsible for\u00a0message transmission under HIPAA, so you can’t ignore this omission.<\/p>\n The most notable example of this disconnect may be the BAA that Google signs for email under its G Suite product offering<\/a>. It’s a legitimate BAA that you should absolutely sign if you use the service, but it doesn’t\u00a0provide coverage for emailing people outside of your own practice, such as, say, your patients.<\/p>\n Don’t get caught misinterpreting what your BAA\u00a0will protect you from and what it won’t; it is extremely easy to violate HIPAA and endanger your patients’ PHI by using an email service that has a completely valid BAA in place.<\/p>\n The HIPAA regulations devote a good amount of attention to specific “technical safeguards<\/a>” that should be in place for systems that interact with electronic PHI. While not all of these security measures\u00a0are absolute requirements under the law,\u00a0standard email clearly fails to meet even\u00a0a lenient interpretation of the criteria.<\/p>\n Happily, email technology has been progressing over the past few decades, and there are now measures that you can take to make your use of email more secure. Even if you have\u00a0your patients’ consent to use “insecure” email, there is still a good argument that you should do your best to minimize every security risk that you can, and not doing so could easily constitute a HIPAA violation.<\/p>\n Check out our recent deep dive on HIPAA and email<\/a> to learn more about the technical safeguards that you now have available and should investigate.<\/p>\n You might be ahead of the game on email security. Maybe you know all about TLS, SPF, DKIM, DMARC, and other alphabet-soup Internet security acronyms. Maybe you even use a fully end-to-end\u00a0encrypted email system. You could still, however, be violating HIPAA with your email.<\/p>\n Technical safeguards are not the only type of safeguards required by HIPAA, so having a perfect set of them won’t automatically make you compliant; the regulations also focus on “administrative” and “physical” safeguards, and both of these are critical to any HIPAA effort.<\/p>\n Administrative safeguards are, broadly, documented workflow policies that you follow to ensure the safety of PHI. One well-known administrative safeguard is\u00a0the principle of\u00a0communicating\u00a0only the “minimum necessary” amount of information for a given interaction, ensuring that PHI exposure is kept low\u00a0even if there is a technical breach. Other administrative safeguards include having a privacy officer, performing internal risk analyses, and keeping up with\u00a0regular policy checkups. HIPAA requires all of these and more, but they don’t have to be onerous; learn more in our HIPAA compliance checklist<\/a>.<\/p>\n Physical safeguards are, unsurprisingly, controls that you put in place around the physical security of your patients’ PHI. For email, this generally means considering the physical location of any downloaded emails that you have. Are they stored on a laptop? Who has access to the room it’s in?<\/p>\n Technical safeguards may be the most obviously important HIPAA requirements for email, but a complete approach to compliance will also consider administrative and physical safeguards, as well as the rest of the HIPAA regulation as a coherent whole. Cherrypicking criteria to follow will not lead to compliance.<\/p>\n Some healthcare providers\u00a0attempt to comply with HIPAA by\u00a0limiting their email use to\u00a0information that does not constitute PHI. This is, in theory, a workable strategy, but it can be devilishly hard to use in practice.<\/p>\n Per HHS, HIPAA protects most “individually identifiable health information<\/a>,” including\u00a0demographic data, payment information, and contact details, depending on context.\u00a0Since the use of personal addresses makes email inherently “individually identifiable,”\u00a0you must then be extremely careful to ensure that your message content does not rise to the level of “health information.”<\/p>\n If you\u00a0run a general practice clinic, for example,\u00a0HIPAA might allow you to send\u00a0your entire\u00a0patient panel a generic email\u00a0about\u00a0flu\u00a0vaccines without it being\u00a0PHI, as it\u00a0would not be “health information” about any specific person. If your practice specializes in cosmetic plastic surgery, on the other hand, you might\u00a0not even be able to send a monthly newsletter, as there could be an argument that simply identifying people as patients of your practice would constitute\u00a0health information.<\/p>\n When it comes to PHI, the line is blurry, the bar is low, and the consequences\u00a0are steep. In further HHS guidance, the department states that even “an indication that the individual was treated at a certain clinic” can be\u00a0PHI. You might\u00a0be comfortable using email for non-PHI purposes, but it can be exceptionally hard to determine exactly what those are.<\/p>\n You might have\u00a0a patient’s consent to email with them about\u00a0PHI, but that\u00a0allowance does not extend\u00a0to your interactions with anybody else, including other healthcare providers. Communication with anybody other than the patient or their explicitly designated third-parties should be fully compliant with all\u00a0aspects of HIPAA, and anything else is likely to be a HIPAA violation.<\/p>\n Since standard email is, nearly by definition, not compatible with many HIPAA regulations, you should avoid it by default whenever you need to communicate\u00a0PHI to anybody who is not the exclusive subject of that PHI and who hasn’t consented specifically to its use.<\/p>\n Email can certainly be used in a HIPAA-compliant manner, but it may not be worth the trouble. Instead, many modern communications solutions are now available specifically for healthcare, and they make HIPAA compliance simple while also enabling secure messaging, telemedicine, access logging, team collaboration, and many other advanced features that email will never\u00a0natively support.<\/p>\n Of course, Spruce is one of these solutions. \ud83d\ude09<\/p>\n Our software platform supports\u00a0email, too, but we think that the healthcare communication world is so much bigger and richer\u00a0than simple email.\u00a0Check Spruce out<\/a>, and let’s figure out what your medical communication goals are and how we can help you reach them. Yes, including email, if you really want it.<\/p>\n\n
2) You Don’t Have a BAA<\/h2>\n
![\"\"](\"https:\/\/sprucehealth.com\/blog\/wp-content\/uploads\/2017\/10\/signing.jpg\")
<\/p>\n3) You Have a BAA but It Doesn’t Cover What You Think It Does<\/h2>\n
4) You Haven’t Thought About Your “Technical Safeguards”<\/h2>\n
![\"\"](\"https:\/\/sprucehealth.com\/blog\/wp-content\/uploads\/2017\/10\/computer.jpg\")
<\/p>\n5) You’ve Only Thought About Your “Technical Safeguards”<\/h2>\n
6) You’re\u00a0Sending\u00a0PHI but Not Realizing It<\/h2>\n
7) You’re Emailing Someone Other Than the Patient<\/h2>\n
\nAlternatives to Email<\/h2>\n
![\"\"](\"https:\/\/sprucehealth.com\/blog\/wp-content\/uploads\/2017\/09\/download_spruce.png\")
<\/a><\/p>\n