Is Your Email HIPAA Compliant? (Probably Not)
As we come to the end of a long 2016 election season, there has been much discussion about email hacking. Unfortunately, this is not just limited to political campaigns. If you’re a medical practice using Yahoo for business emails, you should be worried about their most recent data breach. More than 500 million accounts were affected and while that’s bad news for anyone using Yahoo’s email service, it could be even worse if you’re a healthcare practice sending and receiving protected health information (ePHI), as it puts you in violation of HIPAA compliance.
If you’re using Yahoo, AOL, Hotmail, or Gmail’s free version to send emails, or Dropbox to share documents, you’re not in compliance with HIPAA. In order for your email provider to be HIPAA compliant, your email and file sharing service must sign a HIPAA Business Associate Agreement (BAA). Yahoo, AOL, Hotmail, and Dropbox will not sign such an agreement and neither will Google unless you’re using their paid G Suite (formerly Google Apps for Business).
If you are found to be in violation of HIPAA, fines can be up to $100 per ePHI email sent over a non-compliant service. You may think your practice is too small to worry about HIPAA fines but that’s not true, as Phoenix Cardiac Surgery found out in April 2012. The five-physician practice was hit with a $100,000 fine for failing to obtain a BAA with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.
How do I become compliant? Now that you’re aware of how serious the fines can be, you probably want to know how you can get your email and documents compliant. As we mentioned earlier, you need to get a BAA signed by the service providers. The two best service providers are going to be Microsoft with their Office 365 platform and Google with their G Suite platform. Both providers will sign a BAA and both offer email and document storage/sharing solutions.
Of the two platforms, we would recommend Google’s G Suite. It’s cheaper, more compatible, and has an app marketplace that lets you add functionality beyond the built-in solutions, although you will have to check that these external services offer HIPAA compliance, as well.
Beyond the obvious benefits of becoming HIPAA compliant, Google’s G Suite will also allow you to use your domain as an email address. No more using “firstname.lastname@example.org”, which comes off as unprofessional - instead, you’ll be able to create multiple email addresses using “@mypractice.com”, which will inspire confidence in your patients and professionalism to your vendors and business partners.
Our goal at CHS is to not only provide the best recruiting services to our clients, but also to pass on helpful information to make your practice as successful as it can be and we hope you’ve learned something today that you may not have known before!
Signing off (from G Suite, of course),
The Team at CHS