Is your email system compliant?
Don’t assume that all business email systems are compliant. Many systems, including several well-known brands designed for professional or even enterprise-level use, are not.
Chances are, your internal email is safe on your own secure servers. And your email to and from third parties, including all email that qualifies under HIPAA as containing PHI, is probably encrypted, as required by the law. But encryption is not enough.
The HIPAA requirements for your email system and practices fall into three main categories:
Access control and authentication: Each of your staff members must have a unique username and password for identification and tracking purposes. Shared logins are not permitted. Furthermore, you must have procedures for verifying that anyone seeking access to ePHI is who they claim to be.
ePHI security and integrity, in storage and during transmission: You have to protect ePHI from being improperly altered or destroyed. Beyond storing ePHI securely, this means you must also have technical security measures, including encryption, in place to prevent unauthorized access by anyone who might, undetected, tamper with ePHI while it’s being transmitted out of your network.
Audit controls: You have to have the hardware, software, and processes in place to record and monitor all logins to your health care information systems (including date, time, and IP address) and track all sent and received emails.
And remember, the same requirements apply to covered entities with whom you communicate and share protected information via email. In fact, they apply to any and all persons and organizations to whom you outsource any function essential to your business. Especially cloud IT providers.