Is My Email HIPAA Compliant?
HIPAA compliance is daunting at best. As we move forward in a technologically adept society, the idea of being HIPAA compliant is thrust upon practices. With reports of large data breaches, and even greater privacy concerns, what should a practice know about compliance?
What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. Congress designed HIPAA to:
- Provide the ability to transfer and continue health insurance coverage for workers and their families as their job situation changed
- Reduce the fraud and abuse in healthcare
- Create standards for healthcare information on electronic billing and other processes that are mandated industry-wide
- Require the protection and confidential handling of protected health information
How does this pertain to email?
Email is affected because it may contain protected healthcare information transmitted via an electronic medium. As such, the information requires protection and confidential handling. Sending sensitive personal information electronically to other providers, insurance, or to your clients involves HIPAA compliance.
What makes email HIPAA compliant?
Unfortunately, this is a very complicated question. In fact, it’s complicated enough that the American Dental Association has stated that each practice should “retain licensed qualified counsel to advise you on the specifics” of HIPAA compliance. Fortunately, the ADA provides a Complete Compliance Kit at a cost.
Our email provider
The recommendation from the ADA is supported by Roadside Dental Marketing’s email provider, Rackspace, who commented that compliance essentially “ends up resting on how the users actually manipulate or use the data.” Rackspace further commented that they “cannot ever conclusively say yes, you are compliant. [Their] legal team simply will not allow [them] to because of the implications user manipulation has.” According to Rackspace, many of their clients, large and small, use the email systems and consider themselves compliant. As such, Rackspace indicated that the responsibility to determine that compliance rests solely on that client’s legal team.
Is my email HIPAA compliant?
The answer is most likely no. While the technology that you are using is capable of being implemented in an HIPAA compliant infrastructure, the vast majority of compliance lies on the practice and its users.
Compliance essentially “ends up resting on how the users actually manipulate or use the data.” – Rackspace
HIPAA compliant email requires both a secure platform and strict processes with auditing.
What we can say is that our provider, Rackspace, has made a document available which outlines their responsibility and obligations towards the system.
So, if you are still in a quandary about your compliance, it might be time to evaluate how and when to properly use email communication, draft up some processes, and seek legal counsel to make certain that you are adequately protecting your practice.
This post was originally published in 2016 and has been updated for accuracy and comprehensiveness.