By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author
It’s fast and easy, and you can often work more efficiently with an email exchange than if you must make phone calls or schedule appointments to discuss patient care. But where does that exchange fall when it comes to HIPAA compliance?
The HIPAA Security Rule introduced several requirements to consider before an email can be considered HIPAA compliant. Those require covered entities to implement access controls, integrity controls, audit controls, ID authentication, and transmission security in their policies and procedures.
But What About Encryption?
Unfortunately, encryption alone doesn’t ensure that the audit control requirement is fulfilled regarding how PHI is communicated. It is only one element of HIPAA compliance for email that helps with preventing unintentional or malicious disclosure of electronic PHI.
Are There Alternatives?
Secure messaging has become an increasingly popular way to substitute for email communication since it addresses all the requirements of HIPAA and the Security Rule. It can also be faster and more convenient if an employee doesn’t have their email alerts on.
How Long Do You Need to Keep Everything?
Covered entities are required to retain communications for six years that contain PHI. This can put a strain on the business’s storage space, so encrypted email archiving has become a popular solution. If a business chooses to outsource this, they must ensure that a Business Associate Agreement is in place for whatever company they work with, as they must also comply with the HIPAA Security and Privacy Rules.
This article was originally published on HIPAA Secure Now! and is republished here with permission.