Outline
HIPAA Compliant Email and Online Forms Details:
Your ultimate guide for HIPAA-related information when it comes to your Website and email account.
HIPAA Intro:
The Health Insurance Portability and Accountability Act, or HIPAA, originally known as the Kennedy- Kassebaum Bill, is a set of regulations that became law in 1996. The purpose of HIPAA was to help people carry their health insurance from one company to the next and make it easier for the movement of medical records between healthcare institutions.
Additionally, this was a system to ensure and protect the privacy of the patient’s medical records. Healthcare organizations are required to invest their time and money into training to comply with HIPAA laws strictly
The origin of HIPAA laws stemmed from the early 1990s when it was clear that computerizing medical records was more efficient for the future; furthermore, the industry required new standards in managing healthcare data, this included rules encompassing the portability of medical information and protecting the patient’s right to privacy.
I. How-To: HIPAA Compliant Emails
- Ensure you have end-to-end encryption for email
- Encrypts both messages in transit and stored messages. Access controls are used to ensure only the intended recipient and the sender can access the messages.
- The type of encryption used is also important. While previously, Data Encryption Standard (DES) was considered secure, that is no longer the case.
- Use of a third-party HIPAA-compliant email service provider is strongly
recommended. - Research potential HIPAA-compliant email service providers to ensure that they provide a service that is suitable for your requirements. A search on Google will produce several potential service providers. b. Enter into a HIPAA-compliant business associate agreement with your email provider
- If you use a third-party email provider, you should obtain a business associate
agreement before using the service to send ePH c. Ensure your email is configured correctly - Google’s G Suite includes email and is covered by its business associate
agreement. Though G Suite, email can be made HIPAA compliant, provided the service is used alongside a business domain. d. Develop policies on the use of email and train your staff - Once you have implemented your HIPAA-compliant email service, it is important to train staff on the correct use of email with respect to ePHI. e. Ensure all emails are retained
- The retention period for security-related emails and emails relating to changes in privacy policies should be retained for a period of six years, and HIPAA requires covered entities to store documentation related to their compliance efforts for six years. f. Obtain consent from patients before communicating with them via email
- Email consent must be obtained from the patient in writing before any ePHI is sent via email, even if a HIPAA-compliant email provider is used. g. Seek legal advice on HIPAA compliance and email
- It is strongly recommended that you speak with a healthcare attorney that specializes in HIPAA to advise you of your responsibilities and the requirements of HIPAA with respect to email.
II. How-to: HIPAA Compliant Online Forms
- HIPAA Compliant Online Forms Must be Used for Collecting Health Information
- Before using any third-party solution provider, HIPAA-covered entities should assess the security controls put in place to secure information captured by the forms. ii. HIPAA-covered entities should choose a web form solution that offers end-to-
end encryption and uses encryption algorithms recommended by NIST. b. How to Choose a Third-Party Webform Solution - A signed, HIPAA-compliant business associate agreement must be obtained
from an online form software company before the software can be used in connection with any health information. ii. A signed, HIPAA-compliant business associate agreement must be obtained
from an online form software company before the software can be used in connection with any health information. c. HIPAA Compliant Online Forms Software Does Not Guarantee Compliance - Access controls must be configured correctly to make sure that only individuals
authorized to view webform data can log in. - Strong passwords should be set, and multi-factor authentication should be set
up, if available - Users should also be automatically logged out of the admin account after a set
period of inactivity and audit logs should be maintained and periodically checked - The web form service may send email notifications or reports to administrators
to alert them to new form entries. - If a solution is chosen that interacts or integrates with other systems – Google
Sheets, for example – make sure that the forms only send data to HIPAA-compliant platforms and make sure that a BAA is obtained from the provider of that software.
Penalties & Legal Ramifications:
If HIPAA law is violated, the patient can file a complaint. In the event of a violation, they can contact the Office for Civil Rights, which has the authority to investigate the allegations and enforce the law. The patient/affected party is required to file a written complaint outlining the details of the violation through U.S. mail, e-mail, or fax within 180 days of the incident. Penalties for any HIPAA violations include fines or in more extreme cases, imprisonment. Additional punishments may be given at the state level depending on the violation. For example, California allows for additional fines and allows the affected party to file a lawsuit.
Entities who knowingly obtain or disclose individually identifiable health information face a fine of up to $50,000 as well as imprisonment for up to one year. Offenses committed under false pretenses suffer a hefty fine of $100,000 with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use an individual’s health information for commercial advantage or personal gain will be punished with fines of up to $250,000 and imprisonment for up to 10 years.
Here are some real-life examples of individuals in the medical field violating HIPAA laws and the consequences they faced:
A former cardiothoracic surgeon and Chinese immigrant, Huping Zhou, worked as a researcher at the UCLA School of Medicine. After his dismissal, he illegally accessed the UCLA medical records system over 300 times, where he viewed the health records of his immediate supervisor, his co-workers, and several celebrities. He was sentenced to four months in jail and a $2,000 fine. The names on the medical records he accessed include Arnold Schwarzenegger, Drew Barrymore, Leonardo DiCaprio, and Tom Hanks.
Another example is when a cardiac monitoring vendor’s laptop was stolen from a parked car containing hundreds of patient medical records. The OCR reached a $2.5 million settlement with the vendor, reiterating that the federal government is extremely strict in enforcing HIPAA laws involving third parties and portable digital media. Overall, it is important to strictly abide by HIPAA laws and train all staff members thoroughly to prevent and reduce any incidents from occurring.
Sources
- https://www.hipaajournal.com/make-your-email-hipaa-compliant/
- https://www.hipaajournal.com/hipaa-compliant-online-forms/
- https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement
- https://www.hipaajournal.com/hipaa-history/
