is my email hippa compliant?

hi experts,

 I have yahoo plus email setup in outlook and I use it to email patient forms/information. Is this hippa compliant?
Who is Participating?
Michael DyerSenior Systems Support AnalystCommented:
Email in general is not secure. There is really no way to know that the person receiving the email you sent is who you intended. This is especially so in companies whose messaging system is controlled through an IT department.

Often companies have an email policy in place informing employees that they should expect no privacy as it relates to using the company’s email or Internet systems. So, those people handling sensitive information, including discussing diagnoses and treatments for patients, need to be aware that general email has no guarantee of privacy.

Generally HIPAA requires three things when it comes to email:

Strong security:

According to Section 164.314(a) of HIPAA, it is the responsibility of the health care provider to ensure that everyone involved in handling such confidential and personally-identifying information complies with the safeguards established by the HIPAA laws. Most providers meet this requirement by adding extra security around email like secure email, scanning outbound emails for sensitive data, and having a good handle on who is allowed to access email.  One way you can do this is to zip up documents with a password and then verbally provide the password to your client.

The HIPAA Omnibus Final Rule released March 18, 2013 states that clients are allowed to authorize communications via email, but to do so the client must be informed of the risks relating to sending protected health information via email before they sign the authorization. Most firms have a consent form that clients must fill out before email can be used.  You should have this included with your standard forms your client signs consenting to receiving medical information via email.

Business Associate Agreement:
Many health care providers use a third party (like Gmail, Microsoft, or their IT company) for email. In your case, you are using Yahoo Plus.  These firms are referred to by HIPAA as “Business Associates.” These Business Associates are required to sign an agreement that states they will protect a patient’s confidential information with the same high standards required of the health care provider.  Yahoo does not sign BAA agreements regarding email.  

So, sending any protected health information via email with Yahoo Plus would be a HIPPA violation unless it is attached to the email in an encrypted, password protected file.
frankbustosAuthor Commented:
thanks michael for the details. So, what step/solution do you recommed I go with?
Michael DyerSenior Systems Support AnalystCommented:
Well, your cheapest option is to use a program like Winrar ( to create zipped files with encryption and then email the encrypted file as an attachment and provide the password to your client verbally.  The other option is to use a different email service that is HIPPA compliant, but typically you have to pay a monthly service fee for those.  

HIPPA does permit faxing of patient information with the patient's consent so you could also consider just using a fax machine instead of sending email.
frankbustosAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.