It’s fast and easy, and you can often work more efficiently with an email exchange than if you must make phone calls or schedule appointments to discuss patient care. But where does that exchange fall when it comes to HIPAA compliance?
The HIPAA Security Rule introduced several requirements to consider before an email can be considered HIPAA compliant. Those require covered entities to implement access controls, integrity controls, audit controls, ID authentication, and transmission security in their policies and procedures.
But What About Encryption?
Unfortunately, encryption alone doesn’t ensure that the audit control requirement is fulfilled regarding how PHI is communicated. It is only one element of HIPAA compliance for email that helps with preventing unintentional or malicious disclosure of electronic PHI.
Are There Alternatives?
Secure messaging has become an increasingly popular way to substitute for email communication since it addresses all the requirements of HIPAA and the Security Rule. It can also be faster and more convenient if an employee doesn’t have their email alerts on.
How Long Do You Need to Keep Everything?
Covered entities are required to retain communications for six years that contain PHI. This can put a strain on the business’s storage space, so encrypted email archiving has become a popular solution. If a business chooses to outsource this, they must ensure that a Business Associate Agreement is in place for whatever company they work with, as they must also comply with the HIPAA Security and Privacy Rules.
If you need assistance determining what the appropriate means are to protect the ePHI that is transmitted within your business, HIPAA Secure Now can help! We know that cybersecurity and HIPAA compliance are critical to your business and together they go hand in hand in protecting you from more than a HIPAA violation – smart and safe practices keep your business running!