Do the words “HIPAA compliance” make your eyes roll? When it comes to emailing Protected Health Information (PHI), HIPAA compliance doesn’t need to be complicated (or pricey)1.
First, you’ll need to ask your email exchange vendor if it meets all five HIPAA technical safeguards required by law. Keep the following in mind.
The “big guys” aren’t HIPAA compliant right out of the box.
Using a service like Gmail, Yahoo!, or Outlook to send PHI may seem easy, but to actually fulfill HIPAA rules, these services require multi-layered modifications that eat up time and cash.
Advertising can be misleading.
You’ll see many ePHI services, especially free ones, advertised as “HIPAA compliant” because of their encryption levels. Encryption alone does not equal compliance. It’s only one of the federal government’s five technical safeguards you must fulfill.
Make Sure You Have These Five Things.
1. Adequate Encryption Size
When you send an email with PHI, encryption protects that information as it travels between you and the people you’re sending it to. The minimum required encryption level is 256-bit. The best encryption level is 2048-bit.
2. A Business Associate Agreement (BAA)
It’s your responsibility to acquire BAAs from all your vendors. For example, if you’re using Gmail, then Google is your vendor. Google can provide BAAs, but you have to know to ask for them. A truly HIPAA-compliant vendor automatically provides you with this agreement.
3. Assurance You’re Emailing PHI to a Legitimate Provider
Your secure email system needs to verify that the providers you’re sending to are actually who they say they are. The government recommends using an email service built on the DIRECT protocol, which meets the federal standard for provider verification.
4. Assurance No Email You Send or Receive Can Be Accessed By Others
A truly secure email provider will not be able to access the content of your emails for data gathering, marketing or advertising. (On your side of things, make sure your logins are secure and that your team members are automatically logged-off when they aren’t using the computer.)
5. Audit Readiness
In case you get hit with a HIPAA audit, make sure the service you’re using can immediately provide a detailed audit trail of every email exchange of PHI from the past six years. That’s right—every message sent in the last six years.
Too Good to Be True?
If it’s free and boasts encryption as a full solution, but falls short of any of the five technical safeguards, then it’s too good to be truly HIPAA compliant.
iCoreConnect’s solution, iCoreExchange, costs $22.50/mo/subscription.