is my email hippa compliant?

Posted on 2014-04-08
Medium Priority
Last Modified: 2014-04-15
hi experts,

 I have yahoo plus email setup in outlook and I use it to email patient forms/information. Is this hippa compliant?
Question by:frankbustos
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 14

Accepted Solution

Michael Dyer earned 2000 total points
ID: 39987248
Email in general is not secure. There is really no way to know that the person receiving the email you sent is who you intended. This is especially so in companies whose messaging system is controlled through an IT department.

Often companies have an email policy in place informing employees that they should expect no privacy as it relates to using the company’s email or Internet systems. So, those people handling sensitive information, including discussing diagnoses and treatments for patients, need to be aware that general email has no guarantee of privacy.

Generally HIPAA requires three things when it comes to email:

Strong security:

According to Section 164.314(a) of HIPAA, it is the responsibility of the health care provider to ensure that everyone involved in handling such confidential and personally-identifying information complies with the safeguards established by the HIPAA laws. Most providers meet this requirement by adding extra security around email like secure email, scanning outbound emails for sensitive data, and having a good handle on who is allowed to access email.  One way you can do this is to zip up documents with a password and then verbally provide the password to your client.

The HIPAA Omnibus Final Rule released March 18, 2013 states that clients are allowed to authorize communications via email, but to do so the client must be informed of the risks relating to sending protected health information via email before they sign the authorization. Most firms have a consent form that clients must fill out before email can be used.  You should have this included with your standard forms your client signs consenting to receiving medical information via email.

Business Associate Agreement:
Many health care providers use a third party (like Gmail, Microsoft, or their IT company) for email. In your case, you are using Yahoo Plus.  These firms are referred to by HIPAA as “Business Associates.” These Business Associates are required to sign an agreement that states they will protect a patient’s confidential information with the same high standards required of the health care provider.  Yahoo does not sign BAA agreements regarding email.  

So, sending any protected health information via email with Yahoo Plus would be a HIPPA violation unless it is attached to the email in an encrypted, password protected file.

Author Comment

ID: 39987285
thanks michael for the details. So, what step/solution do you recommed I go with?
LVL 14

Expert Comment

by:Michael Dyer
ID: 39987342
Well, your cheapest option is to use a program like Winrar (http://www.rarlab.com/) to create zipped files with encryption and then email the encrypted file as an attachment and provide the password to your client verbally.  The other option is to use a different email service that is HIPPA compliant, but typically you have to pay a monthly service fee for those.  

HIPPA does permit faxing of patient information with the patient's consent so you could also consider just using a fax machine instead of sending email.

Author Closing Comment

ID: 40002270

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question