These sort of simple, unintentional slip-ups can LITERALLY COST YOU MILLIONS in this age of enforced penalties for HITECH / HIPAA breaches.
If your organization handles Protected Healthcare Information (PHI), and you want a way to protect yourself from this scenario, read on...
Quick recap: here's the quick summary of our suggestions on how to get started with HIPAA & HITECH compliance:
If you've not done it, though, I cannot stress enough the importance of #1 - The Self Assessment. You simply have to get a good baseline for where you stand. CALL US for more details. (Hint - it can probably be done very well for under $100 / mo)
Now that you've done your self-assessment....
On to an important part of #7 - EMAIL ENCRYPTION.
The HHS specifically addresses email security in several documents. An easy read is one of the "Safeguards" documents you can find right here.
Specifically, is email encryption mandated for all transfer of ePHI? No.
BUT...... the safeguard principle that colors every aspect of compliance states the following:
SAFEGUARDS PRINCIPLE: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
AND..... there are very, very clear commentaries in several places that email is allowed under very specific situations.
AND... there are new cases of organizations (BA's and CE's) accidentally breaching PHI with email.... most of the time accidentally!
AND.... keep in mind that the annual max fines are between $25,000 and $1.5 Million dollars. Not sure about you, but even getting slapped with a $25k fine would be enough to really irritate me.
So, if it's now cost-effective and technically simple to encrypt all PHI that may be transmitted via your email servers, would it' it seem reasonable?
Without hammering this point needlessly, I would suggest you look into how simple the solutions are for encrypting your clients' email.
While there are several great vendors on the market now, we sell and recommend the solutions from ZIXCORP. They're the leaders in this industry, and we simply have not seen a cheaper, more flexible, more powerful solution on the market place. Their basic ZixMail solution that will protect PHI and keep your email secure costs between $4 and $10 / user / month for most of our clients, depending on their size & specific needs.
From $4 to $10 / user / month. And this issue is put to bed.
And you don't have to worry about your staff accidentally emailing out up to $1.5 MILLION worth of breaches.
Seems like a "reasonable administrative, technical, and physical safeguards" to put in place to me.
Curious? Want to see a demo? Contact us at www.tkshealth.com or read more at www.zixcorp.com.