Use caution when sending patient information via email
Guidelines for complying with HIPAA privacy and security rules
Contrary to common assumptions, Health Insurance Portability and Accountability Act (HIPAA) technically does not require the use of encryption to secure your patients' private medical data (aka, electronic Protected Health Information or ePHI).
WARNING: IF YOU STOP READING NOW AND SIMPLY DECIDE THAT YOU DO NOT NEED ENCRYPTION, YOU MAY WAKE UP ONE DAY TO THE WORST FINANCIAL AND PUBLIC RELATIONS NIGHTMARE IMAGINABLE. SO, READ ON...
If you determine that encryption is not reasonable and appropriate, then you must document your rationale for that decision and
implement an equivalent alternative to encryption that "is reasonable and appropriate." Although encryption is not a requirement under the HIPAA Security Rule, ePHI transmitted via email should be encrypted.
Sending unencrypted email is like sending a postcard. The email (postcard) has no envelope and anyone that touches it can read the contents. It's even worse for the digital world because it's accessible by anyone connected to the Internet. Encrypting email content is like putting it in a sealed envelope that only the recipient can read.
Not using encryption is too risky for your patients' ePHI. It is even riskier for your business because according to the breach notification rule under Health Information Technology for Economic and Clinical Health (HITECH) Act every incident of unencrypted ePHI requires you to provide time-bound notifications to: (1) affected patients; (2) the Secretary of HHS (i.e., the federal government); and/or (3) prominent local/state media outlets.
What about using Yahoo, AOL or free Gmail to send ePHI? The HIPAA Omnibus Rule expands the definition of HIPAA Business Associates to cloud providers. Some of the cloud providers include Google, Yahoo, AOL, Amazon, Microsoft, and Dropbox. As HIPAA Business Associates, cloud providers are required to sign Business Associate Agreements (BAA) with Covered Entities. Unfortunately, Yahoo and AOL will not sign a BAA. Google, Microsoft and Dropbox will sign a BAA if you use the paid apps service.
It is a HIPAA violation if practices are using free email services via Gmail, Yahoo and AOL and there is ePHI stored in emails.
The best way to protect your patients is to use a solution from a
HIPAA compliant vendor
and use secure email by one of your partners, such as securemail.ascensionhealth.org, or signing for Direct Messaging provided by your EMR/population health registry vendor, Wellcentive.