The HIPAA Trouble with Email, Text, and File Sharing

There are inherent obstacles in creating storing, transmitting, and accessing information even when using “HIPAA” rated service through Apple, Google, Yahoo, Dropbox and other free and paid products.

  • Secured email requires recipient to register online. Recipient loses access to the delivered email content if the sender discontinues the service providers.
  • Text Messages, Messages and others and transmitted in clear text. they may offer transmission security but lock encryption at rest and de-coupling owner ID info at rest.
  • SMS text messages are not encrypted;
  • Senders cannot authenticate recipients;
  • ePHI can remain stored on wireless carrier servers
  • Access to email over public WIFI often creates authentication breach.
  • Data is stored on mobile devices creating vulnerability

Despite these obstacles, are there safe and secure ways to leverage smart phones and other online communication tools without overly complicating workflow and still comply with HIPAA?

First and foremost, HIPAA does not explicitly prohibit the use of Email, Text or File Share to exchange ePHI.  Rather, the HIPAA Security rule requires Covered Entities and Business Associates acting on their behalf to implement administrative, physical and technical safeguards if engaged in the transmission or storage of ePHI.  While HIPAA does not prescribe specific safeguards to use to protect ePHI sent these common online mediums however it does provide a framework to assess and mitigate risks associated with such transmissions.  For example, key technical safeguards included within the HIPAA Security Rule that should be considered before using these online medium for ePHI include the following controls:

  • Unique User Identification;
  • Automatic Logoff;
  • Encryption/Decryption at rest;
  • Auditing;
  • Integrity Management;
  • Authentication; and
  • Transmissions Security.

Further, to comply with HIPAA, those who want to send ePHI via text must conduct a risk analysis.  A risk analysis consists of “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”  Thus, prior to employing Email, chat or file share, the risks associated with either should be addressed.

In short, HIPAA compliance is achieved by implementing reasonable and appropriate safeguards and conducting a risk analysis on a periodic basis.

Email, Chat and File Share continues to offer a simple, attractive, and cost effective way to communicate ePHI to simplify workflow.  As a result, these solutions will continue to be used but before we use it, these risks must be evaluated and effectively managed to ensure compliance with HIPAA to prevent potential for unauthorized use or disclosure and data breach.

With HIPAA Office, we have taken care of the administrative, physical and technical safeguards while ensuring the efficiency of your workflow and the effectiveness of your users are not adversely affected.

Many practices today use free emails, smart-phone texting and free file share not realizing the potential risk associated with it. HIPAA Office solution ensures complete safeguard and safety of your office information, which often times is beyond HIPAA compliance. Access to your business and operational information outside your office through other online solution involves risks. With HIPAA Office, you can ensure your employees do not have access to their work related information outside work and beyond work hours.

Leave a Comment