HITECH has added new requirements to the HIPAA regulations, one of which is encrypted email when sending or receiving PHI. It’s important for healthcare providers to understand email is NOT secure, encrypted or safe for sending sensitive information. It is easily intercepted and read by others, which is likely cyber criminals. To protect information being sent via email a modified email service must be used. There have been encrypted email solutions for years and Microsoft Office 365 and other cloud email solutions offer encrypted email. However, that does NOT secure the information from being viewed. To truly secure the email message you must encrypt the message/data, authenticate the receiver is whom they say they are and verify whom you intended to receive the message is correct. The U.S. government created the DIRECT protocol to provide a standard to allow different companies create solutions that would all work together. It’s important to take action now to reduce your exposure to a breach and possible fines.
Simple Secure Email Plan
Here’s a simple plan to help you get started and implement a secure email solution.
Identify staff that sends and receives PHI via email.
- List partners/vendors too; labs, x-ray lab, therapist, insurance companies, EHR vendors, etc.
- List staff that sends/receives PHI from these places and patients.
- Don’t forget the unexpected staff, that may occasionally receive PHI, such as administration, front office, etc.
Create a policy and procedure to address securing PHI in email.
- The policy should state the proper emailing of PHI information.
- The procedure should state how to accomplish the proper emailing of PHI information.
Research a secure email company to use.
- Make sure they meet your requirements and offer the DIRECT protocol solution.
- Shameless plug; we’ve partnered with the leader in the industry, DataMotion.com
- Purchase the number of accounts you need to make sure all PHI will be sent securely.
Hope this helps and you keep your PHI secure while emailing.