Home » Readers Write » Currently Reading:

Readers Write: Three Common Email Security Compliance Misconceptions That Are Putting Healthcare Organizations At Risk

August 25, 2021 Readers Write 3 Comments

Three Common Email Security Compliance Misconceptions That Are Putting Healthcare Organizations At Risk
By Hoala Greevy

Hoala Greevy is founder and CEO of Paubox of San Francisco, CA.

image

HIPAA violations are rapidly increasing. In 2020 alone, there were 188 PHI related data breaches via email, a 17% increase from 2019. As healthcare organizations look to stay competitive in the rapidly evolving digital landscape, they continuously search for more efficient and secure communication methods between employees and patients. HIPAA’s top priority is to protect a patient’s protected health information (PHI), requiring covered entities to take reasonable steps to accomplish this.

With the proper encryption and well-trained staff, email is an effective method to communicate with patients about their health. However, misconceptions about the difficulties or feasibility of HIPAA-compliant email often keep healthcare organizations using outdated communication tools like fax machines and the postal service to share PHI with patients. Providers shouldn’t let common misconceptions about email deter them from using it.

Misconception #1: You can’t send an email and maintain HIPAA compliance. HIPAA does not prohibit the transmission of PHI via email. In fact, according to the HIPAA Security Rule, healthcare providers may adopt new technologies, including email, as long as they:

  • Ensure the confidentiality, integrity and availability of PHI.
  • Identify and protect against reasonably anticipated threats.
  • Ensure employee compliance with HIPAA.

Email is perfectly acceptable as long as it is encrypted in transit and at rest. Under HIPAA, encryption is an “addressable” way to secure email rather than being required. However, since there is no other effective method to secure email besides encryption, it is de facto a requirement.

Misconception #2: HIPAA compliant email has to be difficult to use. Most email security solutions require employees to take several steps to encrypt a message, such as putting a special keyword in a subject line to trigger encryption. Recipients might also need to jump through hoops to read a message, such as creating an account to log into a patient portal.

These extra steps leave plenty of room for human error. An employee might not remember to encrypt an email containing PHI, or they might simply put a typo in the subject line keyword. A recipient can easily forget their password, requiring them to reset it the next time they have a message waiting from their doctor.

However, there are alternative methods that don’t require any extra steps from a patient or a provider. The safest way to ensure staff uses email in a HIPAA compliant matter is to partner with a HITRUST CSF certified email security provider that encrypts all outbound email by default and sends messages directly to patients’ inboxes. That way, staff doesn’t need to decide which emails to encrypt and recipients don’t need to worry about logging into a portal to read their messages.

By eliminating extra steps, healthcare organizations can easily and safely use email while remaining HIPAA compliant, thus allowing providers to focus on patients rather than encrypting messages.

Misconception #3: Extra steps increase email security. People often think that the harder something is to do, the more secure it must be. However, email solutions that include extra layers of complexity to send and read a message provide people with a false sense of security.

Patient portals, for example, give the appearance of more privacy as they require a separate login and password. However, portals also involve an email component to access messages. Although they might appear to be harder to break into, portals are only as secure as the email address they are associated with. Ultimately the number of steps in a process doesn’t dictate the security it provides.

Misconceptions like these have limited email’s adoption throughout the healthcare industry, but it need not be so. With a clear understanding of how to secure messages and maintain compliance, organizations can partner with a HIPAA compliant email provider that is both easier to use and more secure than other solutions that rely on security theater to lull their customers into a false sense of security.



HIStalk Featured Sponsors

     

Currently there are "3 comments" on this Article:

  1. This just seems like an advertisement to sell a product for something that was solved 10 years ago.

    Nearly everyone already has a solution for this, and the shade thrown at the competition without any evidence doesn’t seem worthy of a blog post.

  2. I’m confused as to why the author believes “The safest way to ensure staff uses email in a HIPAA compliant matter is to partner with a HITRUST CSF certified email security provider that encrypts all outbound email by default and sends messages directly to patients’ inboxes. ” solves the compliance problem.

    When that provider’s email is sent from the HITRUST CSF to my gmail account, any number of Google employees can read that email. Even if Google says they can’t (we know they can because they send email content in response to federal subpeonas and court orders all the time), the provider nor the recipient can prove the message wasn’t viewed or tampered with in transit or on Google servers. Therefore, data confidentiality and integrity are not assured.

    It isn’t that this example is likely to happen at all, but the fact that it can’t reasonably be demonstrated that it can’t happen that is the problem.

    If I send a message to a recipient, and notify that recipient that they can read the message on a server that I control (or vendor I have a BAA with), then per HIPAA it is reasonable for me and the recipient to believe that data confidentiality and integrity have been maintained.







Founding Sponsors


 

Platinum Sponsors


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Gold Sponsors


 

 

 

 

 

 

 

 

 

 

 

Reader Comments

  • Brian Too: "...a physician who claims that vaccines cause people to become magnetic..." That physician meant "a magnetic persona...
  • State Board Skeptic: The state medical boards don’t really care about patient safety or good physician practice. What they do care about is...
  • DrM: State medical boards are now the self-protecting monopolies people fear when they talk about trades self-managing who ca...
  • Brian Too: I have occasionally been subject to nervous effluent, but never to nervous affluent!...
  • SJ: What a great write-up. This was helpful on many levels, especially to understand a clinicians point of view!! I always r...

Sponsor Quick Links