You probably reading this article to know about HIPAA Compliant Email providers, but does the HIPAA Privacy Rule permit healthcare providers to use e-mail to discuss health issues and treatment with their patients?
Well, As per U.S. Department of Health & Human Services official website, healthcare providers may use HIPAA Compliant Email services to communicate electronically and can discuss health issues and treatment with their patients. But still healthcare providers has to be very careful sharing the information online even they are using HIPAA Compliant Email services because human errors could happen e.g healthcare providers may send an email which contains PHI data to a wrong email address. Healthcare providers has to make some rules inside their organizations about how the PHI data will be shared electronically. To avoid any mistake as we mentioned earlier, the possible solution could be to confirm the email address by sending a confirmation email to patient ID and once the patient confirms that the email is correct further communication should happen.
HIPAA Compliance required that healthcare providers must use an email service that use encryption to send emails. But the question is that Is encryption enough to compliant with HIPAA?
When you’ll search on internet about email providers that are in compliance with HIPAA, you may find many companies claiming to provide HIPAA Compliance email services but whom do you trust is all up to you. We strongly recommend you that you should only choose the top brands. In this article we’ll talk about two such brands which are into this business since long time.
Top 2 HIPAA Compliant Email Providers
If you’re a covered entitie and business associate under HIPAA, Google offers its Google Apps solution for you. To offer HIPAA Compliant Email services, Google has secure FISMA, ISO 27001, and SSAE 16 security Certifications.
If you wish to use Google Apps with PHI, you must sign a Business Associate Agreement (BAA) with Google.
Google offers a BAA covering Gmail, Google Calendar, Google Drive, and Google Apps Vault services. It is strongly recommended that you sign a BAA with Google before you sign up for Google Apps services. Customers who have not entered into a BAA with Google must not use Google services in connection with PHI.
Remember that only Gmail, Google Calendar, Google Drive, and Google Apps Vault services are covered in BAA, you must disable rest of the services e.g Google Plus etc from your admin control panel to comply with HIPAA.
Google also offer a 30 days free trial to test their services. You can contact Google representatives to ask more information about the solution.
Microsoft Office 365
Microsoft offers its cloud based email solution called Microsoft 365 for health organizations which is in compliance with HIPAA Guidelines for security.
The solution is individually audited by third-party auditors. It is a ISO 27001 (International Organization for Standardization) certified solution, which is one of the best global security benchmarks.
Healthcare providers are required to sign a business associate agreement with Microsoft in order to use their services for communicating PHI data electronically. The act mandate that service providers that store or process ePHI on behalf of covered entities must work as a business associate with them. This is required to sign a BAA with covered entities.
Although covered entities can use Microsoft 365 for their HIPAA Compliance need but the responsibility for using service and end -to-end compliance with HIPAA and the HITECH Act remains with the covered entity.
All covered Services are mentioned in HIPAA Business Associate Agreement of Microsoft.