~HipaaShare.com~

Email, document sharing and document back up made easy.

Simplified Communication Strategies For Small to Medium Sized Health Care Organizations

What Makes Email Compliant?

There are a few key factors in using email in a HIPAA Compliant manner.

  1. Encrypted in Transit
  2. Encrypted at Rest*
  3. Ensuring that only the intended recipients have access to the sensitive communication
  4. Archival – while only emails that contain ePHI are required to be kept in an unchangeable format for legal hold for 7 years, most companies enjoy the secondary benefits of archiving all emails.
  5. Business Associate Agreement with your provider

*Encryption at rest is not a requirement according to (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii)), it is considered an addressible and recommended practice.

HIPAA Requirements related to Email Archival

There are many requirements of HIPAA that are well addressed in full or part by a real Email Archival system.  E.g. one where:

  1. Copies of all sent and received email are kept in a separate location from your offices and your regular email servers.
  2. The archived email cannot be edited or deleted.
  3. The archived email can be searched, downloaded, and read by both administrators and end users.
  4. The archived email is kept in tact for a long period if time (e.g. 7 or 10 years).

Here are more detailed explanations of HIPAA requirements as they are associated to electronic communications of protected health information (ePHI):

Emergency Access

HIPAA requires that you “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.“

If this health information is in the form of email and the emergency is that your email is down, then how are you going to have Emergency Access?  Continuity provides exactly that — access to an alternative, web based email server, even if your regular email is offline.   It is less convenient than using your regular email, but it does allow you to continue your Email communications.

Backup Requirements

HIPAA requires that you “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.“

Disclosure Recording Requirements

Under HIPAA Omnibus, you need to keep electronic records of Disclosures of PHI for up to 3 years.  A Disclosure of PHI can be merely the transmission of that data from you to someone outside of your organization (e.g. another healthcare provider or patient).

Your HIPAA-compliant email provider likely keeps logs that record the transmission of email to and from its servers; however, these will not record the content of these email messages.  If there is ever any question about a particular message, it is best if you can report what that message contained.  The ideal way to do that is to have all such messages archived so you can retrieve copies for legal audit reasons at any time (HIPAA-related or not).

Required Documentation

HIPAA requires that covered entities keep a wide range of documentation for a long period of time in order to document compliance and to respond to requests.  These things include, but are not limited to:

  1. Policy or procedural documentation: Including notices of privacy practices, consents, authorizations and other standard forms
  2. Patient requests: Such as requests for access, amendment or accountings of PHI disclosures
  3. Complaints: Documentation related to the handling of patient and/or employee complaints
  4. Training: Including processes for and content of workforce training

Probably many email messages are sent that pertain to these categories and as such, copies of these email messages should be retained as part of the HIPAA documentation requirement.

The surest way to do this is to archive all inbound and outbound email.  Relying on individuals to selectively save specific messages is extremely unreliable; uniform archival provides a uniform way to access these messages and a uniform assurance that all possible important messages are kept.

The Coburn Enterprises solution to help our clients meet these requirements was to create a set of hosted email products that simplifies the implementation and allows facilities to meet compliance while being conscious of their budgetary needs.

HIPAASHARE Email Pricing:

Compliant Hosted Exchange (this is the service you want users that need access to their email and calendar from multiple locations and appliances such as phones, laptops and when they travel to other facilities). Price: $10.00 per month per mailbox.

To fully meet compliance you will need to add Archiving which will archive all emails no matter which type of email solution the user has. Price: $2.50 per mailbox. Note: this fee will be applied to all active mailboxes. All mailboxes will be archived.