Keep HIPPA Communications Compliant

When regulations within Health Insurance Portability and Accountability Act (HIPAA) were enacted by the Final Omnibus Rule in 2013, the matter of HIPAA compliance for email was discussed as a possible security problem. As all electronically-stored patient health information (ePHI) now has to be encrypted, it was questioned whether the encryption was sufficient to maintain HIPAA compliance when sending emails.

The questionable use of sending emails with ePHI and whether it complied with HIPAA

Emails and HIPAA Regulations

According to the US Department of Health and Human Services website, the revised rules about HIPAA compliance when sending emails do not prohibit the use of emails when sending ePHI, and at first reading, the regulations regarding HIPAA compliance for email would suggest sending encrypted ePHI by email is acceptable – although it would be necessary for both the sender and the recipient to have the same encryption software.

However, organizations are now required to introduce policies and procedures to guard against unauthorized access to ePHI, and should be aware that copies of emails containing ePHI are stored on routing servers – with no means of deleting them remotely should an unauthorized party with the same encryption software gain access to them.

Therefore, the issue of how to maintain HIPAA compliance for email communications still exists. Furthermore, even though the new legislation categorized HIPAA compliance when sending emails as an “addressable” regulation, it was not intended that sending emails within the HIPAA regulations was “optional”; and it is an issue that organizations have to deal with if they are to avoid severe financial penalties should a breach of ePHI occur.

How to Ensure HIPAA Compliance for Email

The most appropriate method of maintaining HIPAA compliance when sending emails is to use a secure messaging system. Secure messaging systems ensure HIPAA compliance for email by containing the encrypted PHI within a virtual private network that has the facility to attach “message lifespans” to communications of ePHI and delete them remotely.

The messaging systems operate in exactly the same way as emails: with the functionality to attach documents, test results and images; but usage is centrally monitored so that usage adheres to policies relating to communicating ePHI and the HIPAA regulations.

One of the major benefits of transmitting ePHI via secure messaging systems is that the systems are compatible across multiple mobile devices and platforms, healthcare professionals and third-party healthcare service providers can each communicate via their personal Smart phones, PDAs, laptops or tablets without the risk of an ePHI breach.

Case studies have shown that organizations have maintained HIPAA compliance for email by integrating a secure message system and secure messaging has helped reduce costs and increase efficiency – which has resulted into higher standards of healthcare provided to patients. The benefits from secure messaging include:

  • Enhanced nurse to doctor communications
  • Faster delivery of critical lab results by laboratory technicians
  • Immediate retrieval of ePHI “on-the-go” for medical professionals
  • Efficient patient hand-offs by hospital administrators
  • Accelerated resolution of patient concerns by home healthcare and emergency clinicians

Ref: Omnibus Rule 2013

  1. Neatherlin HIPPA compliance for email