Readers Write: Three Common Email Security Compliance Misconceptions That Are Putting Healthcare Organizations At Risk
Three Common Email Security Compliance Misconceptions That Are Putting Healthcare Organizations At Risk
By Hoala Greevy
Hoala Greevy is founder and CEO of Paubox of San Francisco, CA.
HIPAA violations are rapidly increasing. In 2020 alone, there were 188 PHI related data breaches via email, a 17% increase from 2019. As healthcare organizations look to stay competitive in the rapidly evolving digital landscape, they continuously search for more efficient and secure communication methods between employees and patients. HIPAA’s top priority is to protect a patient’s protected health information (PHI), requiring covered entities to take reasonable steps to accomplish this.
With the proper encryption and well-trained staff, email is an effective method to communicate with patients about their health. However, misconceptions about the difficulties or feasibility of HIPAA-compliant email often keep healthcare organizations using outdated communication tools like fax machines and the postal service to share PHI with patients. Providers shouldn’t let common misconceptions about email deter them from using it.
Misconception #1: You can’t send an email and maintain HIPAA compliance. HIPAA does not prohibit the transmission of PHI via email. In fact, according to the HIPAA Security Rule, healthcare providers may adopt new technologies, including email, as long as they:
- Ensure the confidentiality, integrity and availability of PHI.
- Identify and protect against reasonably anticipated threats.
- Ensure employee compliance with HIPAA.
Email is perfectly acceptable as long as it is encrypted in transit and at rest. Under HIPAA, encryption is an “addressable” way to secure email rather than being required. However, since there is no other effective method to secure email besides encryption, it is de facto a requirement.
Misconception #2: HIPAA compliant email has to be difficult to use. Most email security solutions require employees to take several steps to encrypt a message, such as putting a special keyword in a subject line to trigger encryption. Recipients might also need to jump through hoops to read a message, such as creating an account to log into a patient portal.
These extra steps leave plenty of room for human error. An employee might not remember to encrypt an email containing PHI, or they might simply put a typo in the subject line keyword. A recipient can easily forget their password, requiring them to reset it the next time they have a message waiting from their doctor.
However, there are alternative methods that don’t require any extra steps from a patient or a provider. The safest way to ensure staff uses email in a HIPAA compliant matter is to partner with a HITRUST CSF certified email security provider that encrypts all outbound email by default and sends messages directly to patients’ inboxes. That way, staff doesn’t need to decide which emails to encrypt and recipients don’t need to worry about logging into a portal to read their messages.
By eliminating extra steps, healthcare organizations can easily and safely use email while remaining HIPAA compliant, thus allowing providers to focus on patients rather than encrypting messages.
Misconception #3: Extra steps increase email security. People often think that the harder something is to do, the more secure it must be. However, email solutions that include extra layers of complexity to send and read a message provide people with a false sense of security.
Patient portals, for example, give the appearance of more privacy as they require a separate login and password. However, portals also involve an email component to access messages. Although they might appear to be harder to break into, portals are only as secure as the email address they are associated with. Ultimately the number of steps in a process doesn’t dictate the security it provides.
Misconceptions like these have limited email’s adoption throughout the healthcare industry, but it need not be so. With a clear understanding of how to secure messages and maintain compliance, organizations can partner with a HIPAA compliant email provider that is both easier to use and more secure than other solutions that rely on security theater to lull their customers into a false sense of security.