Ensuring HIPAA compliance for Protected Health Information (PHI) sent over email is a complex issue. Pinnacle can provide solutions for the technical aspects, but it's important for you to understand the limitations and procedural implications involved.
Email can be understood as being divided up into "domains": pintechfw.com, pinnacletechnologysolutions.net, etc.. Pinnacle controls how email is handled for the domains we manage, so any messages that stay within your domain would remain securely within your provider's servers and be covered by your Business Associate Agreement (BAA) with them.
When email is sent outside your domain it leaves your/Pinnacle's control, and security becomes the responsibility of the recipient and their email provider. Email is traditionally considered "insecure", simply because when you exchange email between domains you can't always guarantee that the recipient's domain can accept secure email. Even though most U.S-based providers support encryption, systems have traditionally allowed a "fall back" to insecure email to ensure that messages get through. To ensure HIPAA compliance it's important to change that approach to require security when email is being transferred between your domain and outside domains.
For HIPAA compliance, Pinnacle will configure your domain to enforce encryption for email delivery to or from your domain. This ensures that email cannot be sent insecurely. It also means that email that cannot be delivered securely will not reach its intended recipient; there may be a delay of up to 48 hours for the failed delivery to be reported.
Note that this solution does not:
- Prevent email from being sent to the wrong address (this is normally addressed by your internal PHI handling procedures).
- Prevent PHI from being mis-handled on remote servers or by the recipient (this is not your responsibility).
There are three steps you need to take to ensure HIPAA compliance:
- Instruct Pinnacle to enforce TLS encryption on your outgoing and incoming email.
- Review the Microsoft BAA http://www.microsoftvolumelicensing.com/Downloader.aspx?DocumentId=13295 which is triggered by your use of Office 365 to transmit PHI.
- Review/revise your existing PHI handling procedures to ensure that PHI is only emailed to the correct recipient(s) who have the right to view the specific PHI in question, and that consent is obtained before discussing PHI with patients by email.
Once these steps are complete, you can use email to transmit PHI with confidence!