Most health care providers and medical practices understand the basics of HIPAA compliance but often miss critical technical or operational details that leave them out of compliance. These technical details are far from inconsequential. Take the example of email. Many health care organizations (covered entities) make very dangerous and inaccurate assumptions about email that leave them out of compliance:
Free Email Providers
Free email accounts from all major providers do NOT offer HIPAA compliance. Many non-technical people assume that because they have an account with Google, Microsoft or Yahoo that they are complaint – this couldn’t be further from the truth. None of these providers offer HIPAA compliance with a FREE email account. They do have products (Google & Microsoft) that come closer to compliance, but those are paid and they still don’t cover the issue of secure file transfer. Additionally a signed BAA (Business Associate Agreement) is required.
Email is Not Secure File Transfer
Most Health care IT users assume email as the de facto method for file transfer. This would be fine if they were sending non-health care information but they most often use email for sending patient records, X-rays, and other PHI information unencrypted. Unfortunately, this is a blatant HIPAA violation as PHI needs to be encrypted in transit and at rest. Above and beyond this, email isn’t an effective means of file transfer beyond the security concerns as it generally doesn’t do well with larger size files. Secure file transfer options abound that solve this for anyone needing to digitally send PHI.
SSL/TLS is “Compliant”
Many erroneously believe that free email accounts are HIPAA compliant because they use SSL/TLS. The use of SSL/TLS doesn’t make these offerings compliant. Your email data needs to be secured in transit AND at rest. In the case of these free accounts, it is not secured at rest as it needs to be for HIPAA compliance. Again, there are paid offerings from both Google and Microsoft which do bring you closer to HIPAA compliance for email but they still lack secure file transfer options.
BAA Makes it ALL OK
A business associate is any person or organization other than a direct member of the covered entities workforce that provide services or functions on behalf of the covered entity. All business associates should have a formal written agreement with the covered entity regarding its use and or disclosure of PHI (Protected Health Information). However, everyone should acknowledge that having a BAA with a provider doesn’t magically provide HIPAA compliance. We have to actively take the technical & operational steps to bring ourselves into compliance. In the case of email, even paid options from the larger providers don’t solve the secure file transfer issue and leave uses with a gaping compliance hole.
The long and short of HIPAA compliance is that it requires a very detailed and ongoing review of policies, procedures and technologies to reduce non-compliance risks and costs. There is no “silver bullet” or “easy button” it simply requires a knowledgeable, impartial and honest partner to bring you there. If this post brought forward any questions feel free to contact us or comment below. With the costs of compliance violations, damage to business reputation, and real world financial costs – it makes sense to get compliance right from the outset.