Sending and receiving electronic Protected Health Information (ePHI) through email can be a safe and effective way to share patient records and sensitive information with other providers, insurers and patients.
But it’s dangerous when providers don’t understand the details of the HIPAA law.
Every day, at least one healthcare data breach is reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR)1, which is responsible for enforcing HIPAA Privacy and Security Rules.
OCR Director Roger Severino said the agency’s record year  for HIPAA enforcement “underscores the need for covered entities to be proactive about data security, if they want to avoid being on the wrong end of an enforcement action.”2 OCR enforces civil and criminal corrective actions, which may include fines, jail time and even practice closure.
The good news is that it’s easy to stay on the right side of the law. Make sure you follow HIPAA requirements by remembering what the acronym, “ACTUAL,” stands for—the six requirements for compliance.
- Authenticate Recipients
- Control Access
- Transmit Securely
- Unaltered Records
- Audit Every Message
- Lock ePHI for 6 years
Here’s a closer look at what the six requirements for your secure email exchange mean.
- Authenticate Recipients It should automatically verify that the doctor you’re sending ePHI to is a registered provider. Look for an email provider whose platform is built on the DIRECT protocol, which is approved by the federal government for provider verification.
- Control Access Only authorized users should be able to access the content of emails. Your system should have mechanisms in place for automatic user log-off and encryption (scrambling the message content so hackers can’t access it).
- Transmit Securely Encryption is critical. The higher the level, the more secure your ePHI. For example, if your email exchange has a 2048-bit encryption level, it would take quadrillions of years to break the encryption using today’s technology.3
- Unaltered Records (Stored) All your patient information must be safely stored in a way that it can’t be altered or lost. HIPAA-compliant, cloud-based backup systems keep your ePHI on HIPAA-compliant servers located around the country. In the rare event that one location is compromised, the other back-up locations have you covered.
- Audit Every Message If you get audited, you’ll be required to produce a detailed audit trail of all emails containing ePHI. It’s unusual to find email services who’ll make this accommodation, so be sure your vendor definitively states it can produce and deliver an official HIPAA audit trail with very short notice. This is critical. Anyone can submit an anonymous HIPAA complaint against your practice, and the OCR can audit any practice at any time.
- Lock Records for 6 Years This law goes hand-in-hand with numbers 4 and 5. Your records need to be securely stored so PHI cannot be altered or lost for a minimum of six years.