Learn what a HIPAA compliant email is and check out a review of three email providers that guarantee a safe transmission of protected healthcare information
In this post, we discuss HIPAA, a federal law that sets guidelines for exchanging protected healthcare information, via electronic means of communication in particular. We explain what makes a HIPAA compliant email and what requirements a HIPAA compliant email service provider is supposed to satisfy. At the end, we review 3 HIPAA compliant secure email services you can use to send and receive confidential info in the healthcare industry.
Privacy and data protection are crucial in most sectors of the economy. For example, an aircraft manufacturer doesn’t want the drawing of its new plane to get into a competitor’s hands. A bank has a number of security systems in place to ensure that no criminal gets hold of their clients’ personal details and steals their money.
The same goes for healthcare. If someone illegally obtains a patient’s medical history, they can manipulate this data in any way they want. Therefore, confidential information must be securely protected against any unauthorized access.
History Behind HIPAA
The U.S. Congress realized this need. Some twenty-five years ago it adopted a federal law that outlined clear requirements regarding the exchange of protected healthcare information, covering electronic means of communication as well. The law got the name of Health Insurance Portability and Accountability Act (HIPAA).
At that time, digital means of data transmission were very limited in number. Thus, the law put the main emphasis on physical sources of information such as paper medical records or face-to-face communication.
A lot of water has flown under the bridge since those times. Look around a subway train, for example. You will see just about every passenger surfing the Internet on their smartphones, tablets, or laptops. There are many more ways you can send, receive, and store data these days. One of the most popular is email.
Emailing in the Healthcare Industry
Healthcare professionals and patients exchange emails for a wide range of purposes, such as making appointments. Doctors send one another messages discussing a patient’s diagnosis and treatment. Most of these emails contain protected healthcare information. HIPAA clearly specifies the requirements this communication must meet.
One of the best ways to ensure that transmitted messages are readable for senders and recipients only is end-to-end email encryption. HIPAA doesn’t mandate encryption of emails with confidential medical data. It only states that messages like these must contain the minimum personal details to achieve their intended purposes.
However, to be on the safe side and avoid hefty fines from the U.S. Department of Health and Human Services (HHS), which range from $100 for a single violation up to the maximum annual fine of $1,500,000 for one Covered Entity (CE) (more on what a CE is below), providing end-to-end encryption for all your sensitive emails is a wise move.
For the majority of healthcare organizations, having its own email server to ensure secure messaging is an expensive undertaking. Procuring the right hardware and software and hiring the IT staff to set it up properly and perform its ongoing maintenance can amount to a number with many zeros.
An alternative way is to find a good HIPAA compliant email service provider to take care of all the technical issues related to the exchange of protected healthcare information. There’s no shortage of these, and in this post we have reviewed three solutions you might consider trying if you’re a healthcare provider or someone who performs supporting functions for medical organizations.
Before we actually describe these tools, though, let’s talk about some important HIPAA provisions. They should help you understand if a specific email service provider is really HIPAA compliant.
Key Aspects to Keep in Mind When Searching for a HIPAA Compliant Email Service Provider
Two Players Covered by HIPAA
To begin with, various organizations are involved in performing patients’ treatment and providing supporting services like procurement of medical equipment. HIPAA distinguishes between these major players, calling the first group Covered Entities or CE (e.g., a hospital) and Business Associates or BA (e.g., an accounting firm that provides services to a CE).
If you’re a CE who wants to collaborate with a BA, you must sign the so-called Business Associates Agreement or BAA. If you don’t, you’ll violate HIPAA and be severely penalized. This agreement is also obligatory if a BA subcontracts an external organization or decides to use an email service provider for secure email communications.
Therefore, when searching for a HIPAA compliant email service, ensure that they are ready to conclude the BAA with you. Those that refuse to do so, should raise suspicion. A typical BAA outlines all the HIPAA requirements concerning email encryption to keep protected healthcare information safe from illegal access.
HIPAA Mandates no Formal Proof of Compliance
It might seem a bit odd but the law doesn’t require any written proof from healthcare organizations that they comply with the HIPAA guidelines. Thus, no HIPAA compliant email service provider will show you a government-issued certificate of conformance.
Instead, there are a number of independent certification bodies that check email providers for meeting the HIPAA requirements. While not all of these deserve absolute trust, many do. Therefore, asking an email service provider if they have been certified for HIPAA compliance by a reputable company won’t hurt.
HIPAA Does Not Formally Require Encrypting Emails with Protected Healthcare Information
Another surprising thing about HIPAA is that it actually allows healthcare providers to send emails with the content as is without encrypting it. There’s a caveat, though. Only a limited amount of data and only specific details can be transmitted in this way. For example, HIPAA prohibits sending a message that contains information about the location where the recipient was born.
Therefore, to avoid the hassle of remembering the kind of data you can or can’t send over the wires, the end-to-end encryption of every message is the best approach to the doctor-doctor and doctor-patient protected healthcare information exchange. The more robust this email encryption is, the higher is the chance the exchange will be trouble-free from HIPAA’s viewpoint.
You should also know that HIPAA relieves CEs and BAs of any responsibility once an encrypted message has reached its destination in a secure manner. From then on, maintaining the email security rests with the person or entity “in point B.”
Thus, our tip: when considering HIPAA compliant secure email services, find out about the kind of encryption they have in place.
With these essentials out of the way, let’s now take a look at three HIPAA compliant secure email service providers you may give a shot.
3 HIPAA Compliant Email Service Providers for Healthcare Professionals and Patients to Use
These guys take email security with all seriousness, meeting every HIPAA requirement for protected healthcare information transmission. If you’re used to email services like Gmail, though, you will find Aspida Mail a bit cumbersome to use since you need to go to a special portal and sign in before actually sending your mail. This, however, is a necessary step if you want your email to be truly HIPAA compliant.
Aspida Mail prides itself on its integration capabilities. If you’re accustomed to working with your mail via popular clients like Microsoft Outlook, you may continue doing so without any noticeable changes. The entire list of currently compatible programs includes 12 titles.
You have two options as far as pricing is concerned: Aspida Mail and Aspida Mail+. Both offer 30Gb of storage per mailbox. With the former plan, though, you can create addresses on the provider’s domain @aspidamail.net. The latter allows you to use addresses on your own domain.
Aspida Mail costs $10 a month for one mailbox. With Aspida Mail+, you pay $15 a month for one mailbox and $10 a month for every additional address.
All things considered, this is a great HIPAA compliant email service provider with a bullet-proof end-to-end encryption mechanism.
Not so long ago we did a review of the best email service providers based on specific criteria. Then, we described ProtonMail as one of the most secure solutions available on the market these days. The main reason for this is the well-qualified development team that consists of scientists from the Institute for Nuclear Research in Switzerland.
ProtonMail readily signs BAA. This clearly indicates that it’s a HIPAA compliant email service provider. There are some drawbacks as well. For example, free-plan subscribers are only given 500 Mb of storage space. At the end of the day, though, ProtonMail is one of the top solutions for exchanging confidential medical details over the Internet.
Visit this page to learn about the provider’s pricing plans.
Another HIPAA compatible email solution worthy of every praise. It uses an advanced encryption mechanism (AES 256-bit) for all sensitive mail traveling back and forth along the wires. Just like Aspida Mail, NeoCertified provides integration with the major email programs, including Microsoft Outlook, Gmail, and Office 365.
It also caters to users of both Android and iOS powered devices for secure messaging on the move. Among other features worth mentioning are the following:
- A free BAA for every client
- Cloud-based secure portal
- The ability to send secure emails right from Word, Excel, and PowerPoint documents without even closing them
- The option to receive confirmation emails once your message is opened
- The ability to keep emails on the server from one to seven years, which is great for auditing purposes
Visit NeoCertified’s pricing plans page to learn about their fees.
Keeping in line with the HIPAA regulations is extremely important for every medical organization that deals with protected healthcare information. While the law doesn’t prohibit sending unencrypted messages, it sets strict rules as to their content.
That’s why finding a good HIPAA compliant email service provider to securely encrypt every message to patients or doctors is paramount. This will allow you to avoid data breaches and penalties. Why not start your search from the three solutions we’ve described in this post? Give them a try.
Whether you come from healthcare or another industry, advertising your organization or company doesn’t call for encrypting your promotional emails. They should be engaging, look professional, and render perfectly on any device or platform in the first place.
This is where GetDevDone Email development team can bring you real value. Building email templates for over 15 years, we have achieved perfection in this craft. We test our templates on 12 real devices and in more than 70 browsers, never using emulators.
In addition, we meticulously check the validity of the templates on all supported email marketing platforms, such as CampaignMonitor.com, MailChimp.com, and iContact.com.
Get your message across in the most effective way with our expert developers’ assistance. Let’s get in touch! We’re just a click away.