The news of recent account breaches at major free email providers brings into focus the importance of using HIPAA compliant email services. One free email provider admitted to over a billion user accounts being compromised. More recently the same email provider found and patched a security weakness that allowed users’ email accounts to be accessed by foreign hackers without the user’s knowledge using forged cookies.
Some of these email providers are also known to use data gleaned from scanning emails that run through their systems. Did you ever wonder why it was free? Data is mined for marketing, among other things.
Healthcare providers often need to send and receive information between themselves, patients, billing services and insurance providers using email. These emails and file attachments sometimes contains patient health information covered by HIPAA regulations.
HIPAA regulations require three things regarding PHI in email:
1. The provider is responsible to make sure that email is handled securely by everyone involved.
2. That the patient be made aware of the risks of email and consent to their PHI being sent by email.
3. Any outside contractor involved in the provider’s email must sign a business associates agreement or BAA indicating that they will follow the same security standards required of the provider.
Not only are you responsible for security on your end of the email transaction, but potentially at the other end if the recipient is not the patient and is using a non-compliant system. Violations can cost businesses up to $250,000 and individuals 10 years in prison per incident.
If you do not handle email internally on your own server, the solution is to use paid versions of these email services that have a BAA, or Business Associate Agreement stating clearly what technical and administrative security precautions are in place. Paid email services also do not scan your email.
In addition, end to end encryption should be employed to reduce risk when sending to potentially unsecure recipients or sending to an incorrect email address. This is done using a service that encrypts the email before it leaves until after it arrives at the destination. Email sent through these services cannot be captured in transit, opened with a hacked email account, and is unreadable to recipients who may have received the email by mistake.
Although it is tempting for small providers to use free services, it is very risky and can be expensive if their communications are compromised.