If your company deals with Protected Health Information in any capacity, it doesn’t matter where, how, or by whom it’s being accessed – you need to safeguard its privacy and confidentiality. Even if your firm securely stores its health records, if you’re not in control of them as they proceed through your ecosystem, you are not compliant. The HIPAA umbrella encompasses every arm of your organization, including your email server.
And that’s what we’re here to talk about today. There are actually specific guidelines in HIPAA regarding the sharing of PHI via email. And given that there’s at least a 99% chance your organization makes pretty comprehensive use of email, you should familiarize yourself with them.
- Incorporate comprehensive access controls that ensure only authorized parties have access to the email server.
- Monitor all outbound communications to ensure no PHI is being communicated improperly. If your organization is particularly large, you may want to consider incorporating some form of automated DLP tool that flags (or bounces) potentially sensitive messages sent to unrecognized parties.
- Ensure your email server is encrypted with the same level of security as your file storage server, and that all PHI within your email server is secure while at-rest.
- Use a VPN or secure tunnel that protects sensitive emails while they are in transit.
In addition to the above, I’d recommend having a system in place that flags and/or blocks emails sent by suspicious or unknown senders. The idea here is that if someone is meant to be communicating with your organization via email, they’ll be on a pre-approved whitelist. A little inconvenient, sure, but necessary if you’re to protect your organization (and patients) from the consequences of a HIPAA violation.
Further, I’d strongly advise educating your employees to help them recognize the red flags associated with a phishing email. Healthcare organizations are, after all, a growing target for such attacks. The more you do to prevent such attacks, the better off you’ll be.
Finally, choose your email service very carefully. Avoid using consumer services – instead, seek out a vendor that specializes in a HIPAA-compliant email. As a good rule of thumb, if they’re willing to sign a business associate agreement, they’re probably worth working with.
The HIPAA umbrella encompasses everything within your organization – even the furthest reaches of your ecosystem. You need to apply good practices and strong security evenly across everything. That holds true whether you’re talking about email, mobility, or anything in between.