HIPAA Compliant Email and Online Forms Details:
Your ultimate guide for HIPAA related information when it comes to your Website and email account.
The Health Insurance Portability and Accountability Act, or HIPAA, originally known as the Kennedy- Kassebaum Bill, is a set of regulations that became law in 1996. The purpose of HIPAA was to help people carry their health insurance from one company to the next and make it easier for the movement of medical records between health care institutions.
Additionally, this was a system to ensure and protect the privacy of the patient’s medical records. Healthcare organizations are required to invest their time and money into training to strictly comply with HIPAA laws
The origin of HIPAA laws stem from the early 1990s when it was clear that computerizing medical records was more efficient for the future; furthermore, the industry required new standards in managing healthcare data, this included rules encompassing the portability of medical information, and protecting the patient’s right to privacy.
I. How-To: HIPAA Compliant Emails
- Ensure you have end-to-end encryption for email
- Encrypts both messages in transit and stored messages. Access controls are used to ensure only the intended recipient and the sender can access the messages.
- The type of encryption used is also important. While previously Data Encryption Standard (DES) was considered secure, that is no longer the case.
- Use of a third-party HIPAA compliant email service provider is strongly
- Research potential HIPAA compliant email service providers to ensure that they provide a service that is suitable for your requirements. A search on Google will produce several potential service providers. b. Enter into a HIPAA-compliant business associate agreement with your email provider
- If you use a third-party email provider, you should obtain a business associate
agreement prior to using the service for sending ePH c. Ensure your email is configured correctly
- Google’s G Suite includes email and is covered by its business associate
agreement. Though G Suite, email can be made HIPAA compliant provided the service is used alongside a business domain. d. Develop policies on the use of email and train your staff
- Once you have implemented your HIPAA compliant email service it is important to train staff on the correct use of email with respect to ePHI. e. Ensure all emails are retained
- The retention period for security-related emails and emails relating to changes in privacy policies should be retained for a period of six years and HIPAA requires covered entities to store documentation related to their compliance efforts for 6 years. f. Obtain consent from patients before communicating with them via email
- Consent to use email as a communication method must be obtained from the patient in writing before any ePHI is sent via email, even if a HIPAA compliant email provider is used. g. Seek legal advice on HIPAA compliance and email
- It is strongly recommended that you speak with a healthcare attorney that specializes in HIPAA to advise you of your responsibilities and the requirements of HIPAA with respect to email.
II. How-to: HIPAA Compliant Online Forms
- HIPAA Compliant Online Forms Must be Used for Collecting Health Information
- Prior to using any third-party solution provider, HIPAA-covered entities should assess the security controls that have been put in place to secure information captured by the forms. ii. HIPAA-covered entities should choose a webform solution that offers end-to-
end encryption and uses encryption algorithms recommended by NIST. b. How to Choose a Third Party Webform Solution
- A signed, HIPAA compliant business associate agreement must be obtained
from an online form software company before the software can be used in connection with any health information. ii. A signed, HIPAA compliant business associate agreement must be obtained
from an online form software company before the software can be used in connection with any health information. c. HIPAA Compliant Online Forms Software Does Not Guarantee Compliance
- Access controls must be configured correctly to make sure that only individuals
authorized to view webform data can log in.
- Strong passwords should be set, and multi-factor authentication should be set
up, if available
- Users should also be automatically logged out of the admin account after a set
period of inactivity and audit logs should be maintained and periodically checked
- The webform service may send email notifications or reports to administrators
to alert them to new form entries.
- If a solution is chosen that interacts or integrates with other systems – Google
Sheets for example – make sure that the forms only send data to HIPAA compliant platforms and make sure that a BAA is obtained from the provider of that software.
Penalties & Legal Ramifications:
If a HIPAA law is violated, the patient can file a complaint. In the event of a violation, they can contact the Office for Civil Rights, who has the authority to investigate the allegations and enforce the law. The patient/affected party is required to file a written complaint outlining the details of the violation through U.S. mail, e-mail, or fax within 180 days of the incident. Penalties for any HIPAA violations include fines, or in more extreme cases, imprisonment. Additional punishments may be given at the state level depending on the violation. For example, California allows for additional fines and allows the affected party to file a lawsuit.
Entities who knowingly obtain or disclose individually identifiable health information face a fine up to $50,000 as well as imprisonment for up to one year. Offenses committed under false pretenses suffer a hefty fine of $100,000 with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use an individual’s health information for commercial advantage or personal gain will be punished with fines of up to $250,000 and imprisonment for up to 10 years.
Here are some real-life examples of individuals in the medical field violating HIPAA laws and the consequences they faced:
Former cardiothoracic surgeon and Chinese immigrant named Huping Zhou worked as a researcher at the UCLA School of Medicine. After his dismissal, he illegally accessed the UCLA medical records system over 300 times, where he viewed the health records of his immediate supervisor, his co-workers, and several celebrities. He was sentenced to four months in jail and a $2,000 fine. Names on the list of medical records he accessed include Arnold Schwarzenegger, Drew Barrymore, Leonardo DiCaprio, and Tom Hanks.
Another example is when a cardiac monitoring vendor’s laptop was stolen from a parked car, which contained hundreds of patient medical records. The OCR reached a $2.5 million settlement with the vendor, which further reiterates the fact that the federal government is extremely strict in enforcing HIPAA laws involving third parties and portable digital media. Overall, it is important to strictly abide by HIPAA laws and train all staff members thoroughly to prevent and reduce any incidents from occurring.