Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


is my email hippa compliant?

Posted on 2014-04-08
Medium Priority
Last Modified: 2014-04-15
hi experts,

 I have yahoo plus email setup in outlook and I use it to email patient forms/information. Is this hippa compliant?
Question by:frankbustos
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 14

Accepted Solution

Michael Dyer earned 2000 total points
ID: 39987248
Email in general is not secure. There is really no way to know that the person receiving the email you sent is who you intended. This is especially so in companies whose messaging system is controlled through an IT department.

Often companies have an email policy in place informing employees that they should expect no privacy as it relates to using the company’s email or Internet systems. So, those people handling sensitive information, including discussing diagnoses and treatments for patients, need to be aware that general email has no guarantee of privacy.

Generally HIPAA requires three things when it comes to email:

Strong security:

According to Section 164.314(a) of HIPAA, it is the responsibility of the health care provider to ensure that everyone involved in handling such confidential and personally-identifying information complies with the safeguards established by the HIPAA laws. Most providers meet this requirement by adding extra security around email like secure email, scanning outbound emails for sensitive data, and having a good handle on who is allowed to access email.  One way you can do this is to zip up documents with a password and then verbally provide the password to your client.

The HIPAA Omnibus Final Rule released March 18, 2013 states that clients are allowed to authorize communications via email, but to do so the client must be informed of the risks relating to sending protected health information via email before they sign the authorization. Most firms have a consent form that clients must fill out before email can be used.  You should have this included with your standard forms your client signs consenting to receiving medical information via email.

Business Associate Agreement:
Many health care providers use a third party (like Gmail, Microsoft, or their IT company) for email. In your case, you are using Yahoo Plus.  These firms are referred to by HIPAA as “Business Associates.” These Business Associates are required to sign an agreement that states they will protect a patient’s confidential information with the same high standards required of the health care provider.  Yahoo does not sign BAA agreements regarding email.  

So, sending any protected health information via email with Yahoo Plus would be a HIPPA violation unless it is attached to the email in an encrypted, password protected file.

Author Comment

ID: 39987285
thanks michael for the details. So, what step/solution do you recommed I go with?
LVL 14

Expert Comment

by:Michael Dyer
ID: 39987342
Well, your cheapest option is to use a program like Winrar (http://www.rarlab.com/) to create zipped files with encryption and then email the encrypted file as an attachment and provide the password to your client verbally.  The other option is to use a different email service that is HIPPA compliant, but typically you have to pay a monthly service fee for those.  

HIPPA does permit faxing of patient information with the patient's consent so you could also consider just using a fax machine instead of sending email.

Author Closing Comment

ID: 40002270

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question