ExpertBeacon Logo

How to send email that meets HIPAA compliance standards

Today’s medical businesses are bound by the many restrictions of the Health Insurance Portability and Accountability Act or HIPAA. This law applies not only to information sent by medical providers and insurance companies, but also by third party business associates. The HIPAA Omnibus Rule effective earlier in 2013, strengthens a number of existing provisions to further protect the privacy and security of sensitive healthcare related information.

HIPAA violations can land a medical practice and their business associates in hot water with heavy penalties. In fact, businesses with breaches of 500 or more records are publicly listed on the “HIPAA Wall of Shame”. One area that may be overlooked in your practice is e-mail encryption. Below are some common tips on encrypting e-mail and protecting PHI information in transit.


Do take the steps necessary to encrypt the right information

IT professionals suggest encryption for a connection between an office and e-mail provider, the actual email message itself, and any stored or archived messages.

Do look out for public connections

Public networks like restaurant and coffee shop connections are not as secure as specifically set up private networks. Make sure that you consider encryption (and other protections as applicable) for any information sent through these vulnerable networks. Better yet, avoid sending or opening any private information while using public networks.

Do know your protocols

Some healthcare practices send and receive PHI information via a file transfer protocol system. This is a program that allows you to easily move files from one computer to another. Understanding the full use of file transfer protocol or FTP and other server systems will help you develop and continuously update the right strategies for e-mail and data encryption. Check the Administrative Simplification section and Technical Safeguards for standards under HIPAA compliance for sending files using this method.

Do use Secure Socket Layer and Transport Layer Security

These two types of comprehensive data security support commercial banking processes and other sensitive financial transactions. By ensuring that all network segments are SSL/TLS compliant, you are promoting effective security for your own sensitive information as it goes through your electronic systems. Experts recommend checking for an ‘s’ after the http on a browser URL as one indication of its security setup.

Do take a look at available encryption resources

Rather than trying to set up your own IT systems, you may be able to benefit from pre-designed tools that will effectively secure sensitive patient information. Check with any regular vendors or suppliers for tools that meet the high standards of HIPAA compliance.

Consider encrypting archives as well as messages in transit – some practices encrypt messages as they flow out of a network, but they don’t close the back door on archive systems. Hackers can get into archives and cause the kind of data breaches that end up being expensive and generating liability.


Do not assume

Rather than assuming that a system preserves encryption, do a little fact finding and confirmation with the vendor to make sure that your messaging systems are secure through each step of the data transmission process.

Do not rely on anecdotal information

Some healthcare professionals who hear from others in their industry might suspect that HIPAA enforcement is not really as stringent as it appears to be, or that they “really don’t have to do” something. Or, maybe you think a breach could never happen to you. Be sure your IT professional and vendors are well versed in HIPAA compliance and will advise you on the necessary steps for complete protection. Making relaxed judgments can result in costly mishaps.

Do not leave mobile or personal devices lying around

There are a large number of data breaches by unauthorized users getting their hands on a smartphone or tablet. Smart medical businesses must incorporate breach protection standards to include personally and company owned devices. Setting a password to unlock the device and installing an encryption application are a couple of basic defensive steps.

Do not neglect laptop and desktop screens

Some physician practices that are most HIPAA compliant have specific protocols for when a staffer steps away from his or her desk. Screensavers and other protectors such as logging off a work station immediately go into play. This will prevent visitors or others from snooping into PHI at a sensitive moment.

Do not assume all data is the same

As some medical professionals have pointed out, PHI is only protected if it refers to specific medical care, treatment or contains patient identifiable information. Some general elements such as an identity without any diagnostic or medical information may not fall under HIPAA law. Although medical businesses have some room to maneuver under these kinds of rules, it’s better to be safe than sorry when it comes to protecting your patients’ privacy.

Jumping cartoon

While you may have to increase your budget and time to ensure your systems meet HIPAA compliance standards, it is time and money well spent. The result of a breach can be monumental in terms of cost and trust. Don’t know where to begin or want to confirm your standards are compliant? The U.S. Department of Health and Human Services offers robust training guides and compliance checklists/templates to ensure you are on the right track and not alone.

More expert advice about Business Operations

Photo Credits: © Amy Walters -; Check Man, Cross Man and Jump Man © ioannis kounadeas -

Sue (Sunni) PattersonPresident/CEO

Sue (Sunni) Patterson started in the healthcare industry as a senior medical claims processor with a major insurance payer. Sunni is President of RMK Holdings Inc., a healthcare revenue cycle management services firm. Key specialization areas in...

View Full ProfileRecent Articles