HIPAA Compliant Email Encryption Services For Small And Mid-Sized Healthcare Practices

Oct 7 | , , ,


 Carol A. Wilcox

PREFERRED Therapy Providers, Inc.

If you have heard about email encryption but aren’t exactly sure what it means or even if your healthcare practice really needs it, you might want to read on, especially if you email any type of Protected Health Information (PHI).

Overview of PHI

PHI or “Protected Health Information” is everywhere, even in places that are not as obvious as in Electronic Health Record systems (EHR). PHI is any type of information that can identify a patient or provide information regarding their healthcare. PHI applies to all health care organizations, regardless of size, and whether or not a practice participates in Medicare. Some areas where PHI resides include:

  • Patient name, address and telephone number
  • Social security number
  • Date of birth
  • Diagnosis
  • Medical record number
  • Billing number
  • Paper health records
  • Electronic records
  • Appointment reminders
  • Patient photos or notes on a clinic bulletin board
  • Whiteboards with patient information used in treatment areas
  • Computer monitors or tablets that face public areas
  • Fax and copy machines

If you send any type of patient information via email, you should be using encryption. Although HIPPA does not specifically require encryption for electronic delivery of patient information, it does require that you protect patient information using reasonable means by implementing a process to ensure patient privacy. So, it is reasonable to assume if you’re emailing any information without encryption that could potentially be used to identify a patient, you’re emailing PHI that is not HIPAA compliant. One big reason for this is because an email just doesn’t go away if you hit the ‘delete’ button. It can reside on a computer or smartphone, or on a computer server for a long, long time. When email is sent it can pass through a variety of different machines and can be intercepted at many points. If that email isn’t encrypted, it is vulnerable to hackers and others who can easily access the information. So you may ask, what exactly is encryption?

Overview of Encryption

In a nutshell, email encryption disguises the content of an email message to protect sensitive information from being read by anyone other than the intended recipient and may also include an authentication process, according to this resource. When an encrypted email is sent, the message is ‘scrambled’ making it impossible to decipher the content of the message.

What about Gmail, Yahoo or Outlook?

While Gmail, Yahoo and Outlook are great for sending non-sensitive, everyday emails, they do not come with a standard free encryption service. There is an encryption tool for the paid version of Gmail through Google, but the security of the email is limited to Google’s servers and requires you to sign a Business Associate Agreement with Google.

There are some open source encryption tools for these email types, but they are not, generally speaking, convenient to use. For example SecureGmail, an open source extension for Chrome, requires you to first give a password to your email recipient either verbally or by some other non-email method, according to this resource. That process would arguably qualify for being inconvenient for a patient or other healthcare professional.

How to Choose an Affordable Email Encryption Service

There are many affordable options for choosing an email encryption service for your healthcare practice. Most charge a monthly fee per user, so if for example, you have 3 people in your clinic who regularly send PHI via email, you’ll pay a subscription for those 3 users per month.

Before purchasing an email encryption service, be certain the company you choose incorporates all of the requirements mandated by the HIPAA Security Rule, specifically the following controls: access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and the PHI must be secured while in transit 164.312(e)(1).

If possible, choose a service that provides end-to-end encryption (E2EE). End-to-end encryption means that no one monitoring the network can see the content of your message as opposed to data that is only protected in transit between your computer and the company’s servers. This resource provides an overview of E2EE.

Only choose an email provider who is willing to sign a Business Associate Agreement.

Choose a company that has a team of customer support professionals available to help set up your service and provide ongoing assistance if you have questions.

It doesn’t end with Encryption

Compliance doesn’t end with an email encryption service. Make sure you document the policies and procedures your clinic uses for protecting patient PHI. Provide regular staff training including how to spot phishing emails and other potential security threats to ensure both your clinic and your patients’ information remains safe and secure.


About the Author:

Carol A. Wilcox is the staff writer and head of marketing communications at PREFERRED Therapy Providers, Inc. You can reach Carol here.

This article is brought to you by PREFERRED Therapy Providers Inc. PREFERRED is the nation’s leading payor management services network. Our expertise is working with physical, occupational and speech therapy practices – from single clinics to multiple clinic locations.