If you're sending medical information via email you must:
- Encrypt the PHI.
- Have a method of verifying the identity of the person who is authorized to receive the information.
- Have a method of revoking access to the information when it's no longer needed or if you sent the information in error.
Yes, organizations can send PHI via email, if it is secure and encrypted. According to the HHS, “the Security Rule does not expressly prohibit the use of email for sending ePHI. Essentially, you can send ePHI via email, but you have to do it securely, on HHS terms.
As you may have guessed by now, Yahoo is not HIPAA compliant. Their encryption technology is not adequate and poorly documented. In addition, they are not offering to sign Business Associate Agreements. In conclusion, if you are a covered entity and bound by HIPAA compliance laws, you should stay away from Yahoo!
Whereas the HIPAA Privacy Rule deals with Protected Health Information (PHI) in general, the HIPAA Security Rule (SR) deals with electronic Protected Health Information (ePHI), which is essentially a subset of what the HIPAA Privacy Rule encompasses.
Secure Email Means EncryptionFor email security, the messages themselves can be encrypted, or your entire network connection can be encrypted via TLS, which protects email from being read while it's in motion. The most common way messages are encrypted is through Pretty Good Privacy (PGP) data encryption.
The BAA is a key component to HIPAA compliance between a covered entity and a business associate. Since Google Workspace offers a BAA that covers Google Hangouts Meet, we conclude that Google Hangouts Meet is a HIPAA compliant service, as long as you digitally sign a BAA with Google.
The free AND regular paid versions of Zoom are not HIPAA-compliant. Zoom does not advertise pricing for it's health care version. As of now (confirmed last on March 2020), the price for Zoom's HIPAA compliant plan was a minimum of $200/month with a 12-month commitment.
Yes… Google Drive, which is part of G Suite, has all of the required components that a HIPAA-compliant service needs. The platform is protected by TLS (Transport Layer Security) encryption, which does protect patient PHI by putting secure walls around your server. Therefore, in theory, Google Drive is HIPAA-compliant.
The 5 Most Common HIPAA Violations
- HIPAA Violation 1: A Non-encrypted Lost or Stolen Device.
- HIPAA Violation 2: Lack of Employee Training.
- HIPAA Violation 3: Database Breaches.
- HIPAA Violation 4: Gossiping/Sharing PHI.
- HIPAA Violation 5: Improper Disposal of PHI.
Displaying names, especially when it's limited to first names and/or initials, does not breach the Privacy Rule — nor, for that matter, do sign-in logs, patient names on hospital doors, or publicly available treatment schedules. All of these cases are well within the application of HIPAA privacy regulations.
What is a HIPAA Violation? The Health Insurance Portability and Accountability, or HIPAA, violations happen when the acquisition, access, use or disclosure of Protected Health Information (PHI) is done in a way that results in a significant personal risk of the patient.
E-mail and Text Messaging (SMS)The HIPAA Privacy Rule permits healthcare providers to use e-mail to discuss health issues and treatment with their patients, provided they apply reasonable safeguards when doing so.
It's not easy to discipline your employees for something they did on accident, but you simply can't let HIPAA violations slide.
While there is no official HIPAA rule—even under the HIPAA Security Rule—assigned for cell phone usage, many healthcare organizations apply the general overarching HIPAA framework used throughout their in-house computing network to their mobile users' devices.
Pursuant to 45 CFR 160.103, PHI is considered individually identifiable health information. A strict interpretation and an “on-the-face-of-it” reading would classify the patient name alone as PHI if it is in any way associated with the hospital.
covered entities must ensure protected health information
How do you make your website HIPAA compliant?
- Purchase and implement an SSL certificate for your website.
- Ensure all web forms on your site are encrypted and secure.
- Only send emails containing PHI through encrypted email servers.
5 Ways to Start Making Google Workspace HIPAA Compliant
- 1) Two factor authentication.
- 2) Set up Alerts.
- 3) Email Security Outbound.
- 4) Password strength.
- 5) Turn off unused services.
- Bonus! 6) HIPAA Compliant Google Meet.
- What should you do next?
