Can email really be HIPAA compliant?
In part one of a two-part series, Dr. Lou Shuman and Robert McDermott discuss if email can satisfy HIPAA regulations—and how you can ensure electronic protected health information remains secure.
Each month, Dr. Lou Shuman consults with a dental technology specialist to discuss the latest developments in digital encryption, data security, social media trends, SEO strategies, website optimization, online reputation management, marketing and more.
This month, Dr. Shuman sat down with Robert McDermott, President and CEO of iCoreConnect, to talk about HIPAA compliance and electronic protected health information. Here, in part one of a two-part series on the topic, they discuss the importance of safeguarding electronic protected health information—and how to ensure your practice stays HIPAA compliant.
Is it true you have personally spoken to over 2,000 dental professionals researching their needs regarding HIPAA compliance and electronic protected health information (ePHI)?
It is true. It took about five months, but what we learned was very interesting. There’s really a lack of education on the ePHI side of HIPAA… a lack of understanding at the practice level of what needs to be done and what can be done.
A lot of the practices had actually stopped emailing altogether because they thought it was against the law to email electronic protected health information. The truth is that email can be a tremendous advantage to a practice, but it has to be implemented in a HIPAA-compliant way.
Did you find that most practices are attempting to be HIPAA compliant with their electronic protected health information?
At this point, I think they feel that it’s a burden to them and it affects their productivity to try to be HIPAA compliant, but most are trying. A lot of them are frustrated because they don’t really know the HIPAA laws. There are a lot of misconceptions out there.
As I mentioned, many practices won’t use email to share ePHI. I typically ask them “what if a patient requests their records? How do you get the information to them?” Most of them were actually forcing the patient to pick up their health records in person at the practice. The conversations always go to, “Do you think that’s good customer service?” There is usually a pause and then the answer “No, I guess not, if I think about it, but I don’t want to break the law.”
On a personal note, I recently switched from a dentist who would not email me my patient records. I’m not going to drive 15 miles to pick up my records when someone else can hit a button and email them to me in a HIPAA-compliant manner.
Another common misconception is that many healthcare professionals think HIPAA is a new thing in the marketplace. HIPAA has been around since 1996 but until recently there wasn’t a great deal of enforcement. That’s changing. Enforcement and fines have increased dramatically the last several years.
Can you clarify the difference between secure email and HIPAA-compliant email?
I think one of the biggest misconceptions out in the marketplace is that if you have “secure email,” you have HIPAA-compliant email.
The label “secure email” typically refers to some level of encrypted email, but encryption alone does not make email HIPAA compliant. The HIPAA security standards require five technical safeguards in order for email to be compliant. Many secure email providers are not meeting all five technical safeguards, because it’s a huge investment. But for HIPAA compliance, it’s not optional – it’s law.
So, email could be encrypted and still not HIPAA compliant, because it lacks the other technical safeguards. It’s also interesting to note that the 256K-bit encryption safeguard was first implemented back in 2005. Of course, technology has advanced significantly in the last 10 years and so has the sophistication of hackers and data thieves. A higher encryption rating is exponentially harder to hack. The best technology out there right now is 2,048k-bit encryption.
Next month: Learn about the five required technical safeguards for HIPAA-compliant management of electronic protected health information, and what practitioners should take into consideration when migrating to the Cloud.