The Myth of HIPAA Compliant Email

By: Blink Session

Yesterday at Blink Session we rolled out our secure in-app messaging feature and thought it would be a good time to talk about email, HIPAA, and security.

In telehealth, electronic communication is vital, but how do you make sure you are protecting patient's personal health information? Certainly, email is the most convenient way to send and receive information and files from your clients, but you have probably wondered if or when doing so violates HIPAA (Health Insurance Portability and Accountability Act in the U.S.) rules. Email security is not easy to understand and there are many companies that will sell you, "HIPAA compliant email", making things even more confusing.

Email is Generally Not Secure

Lets look at the life of an email. First, you compose the message on your computer or phone where it is usually stored. Second, you hit send and it makes its way to your email service provider's server where it is stored. Third, if the email is going to someone outside your organization (or Gmail, etc.), your email provider sends it to the recipient's email provider. Fourth, it is stored on the recipient's email provider's server. Fifth, it is delivered to the recipient's Inbox. Sixth, it is downloaded to the recipient's device (or multiple devices)

One email is saved on 4-8 different devices and servers around the world. Each place is a security vulnerability. Now, generally speaking, email service providers have many security measures in place to make sure emails are not read by the wrong people. That said, because of email's vulnerable nature, HIPAA has specific rules about how it should be used to transmit patient's personal information.

What About "HIPAA-Compliant" Email Services?

If there is no such thing as HIPAA-compliant email,what about "HIPAA-Compliant" Email Services? These services do provide methods for you to use email in a compliant way, but that does not mean all email you send or receive is automatically compliant.

Think about the, "Life of an email" above. If you were to send sensitive information in an email, how could you protect it through all those steps? How could you make sure only the recipients could read it?

If you are emailing someone inside your organization the main security issue is your email service provider's server, because the email will not need to be transfered to another email service provider. If your company has HIPAA-compliant email, messages between your team are compliant.

The problem comes when email leaves your "HIPAA-compliant" email service to be delivered to an outside email address. "HIPAA-compliant" email services are notorious for being unclear about this: Even if you use "HIPAA-compliant" email, messages sent to addresses outside your company are insecure.

Now, HIPAA-compliant email services usually provide ways to send messages securely outside your organization. They either use some type of email encryption or website where recipients login to view messages. But again, sending a regular email, even from HIPAA-compliant email does not make it secure.

Can my Client Agree to Send/Receive Insecure Email?

Yes. From US Department of Health and Human Services, Omnibus Final Rule, 2013: "We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email."

It is your responsibility to notify clients of the risk and receive permission from them. Failing to do so could result in a HIPAA violation.

Avoid Email, Choose the Right Telehealth Platform

At Blink Session we wanted to provide a way for you, your staff, and clients to securely communicate without ever leaving the platform. Avoid the entire problem of email security by choosing a platform with secure HIPAA-compliant messaging built in.