The passage of HIPAA in 1996 and HITECH in 2009 sent a clear message: the medical industry needed to move beyond paper records and low security ASAP. By now, secure, convenient digital communication between medical providers, patients, colleagues and even other facilities should be the norm. Yet today, many facilities struggle to get even a single patient to use their pricey portals.
The industry won’t solve this problem until providers revisit their most convenient, accessible and (if used properly) secure communication tool: email. Use these HIPAA email security tips to raise digital adoption rates and simplify compliance in your organization.
1. Protect the Login
HIPAA administrative safeguards require organizations to “Implement procedures for creating, changing, and safeguarding passwords.” Passwords should contain at least 12 characters, including upper and lowercase letters, numbers and symbols. Multi-factor authentication enhances security by requiring since users to enter an extra code — such as a number texted to their phone — each session.
HIPAA also requires organizations to monitor logins for improper access. For Gmail user, Google Apps (now known as G Suite) security settings can help, allowing your admins to mandate strong passwords and multi-factor authentication, monitor accounts and respond to potential breaches.
2. Assume Low Technological Knowledge
HIPAA and HITECH require use of ePHI in all aspects of medical care. Healthcare portal systems are a common solution, allowing patients and healthcare providers to send secure, encrypted messages.
Unfortunately, patients aren’t using them. In a recent study, 66.4% of hospitals received no patient requests for EHR, causing CMS to scale back meaningful requirements to a single EHR request. Patients either don’t understand portals, or don’t want to bother installing software, creating an ID and learning the interface. Until providers adopt digital tools that don’t inconvenience patients, things aren’t likely to change.
Virtru Pro secures existing email accounts, removing the inconvenience of portals. Patients and providers can send HIPAA compliant encrypted emails with one click, without creating new logins or learning complex interfaces.
It also helps reduce your exposure risk against breaches by allowing users to revoke emails (even after they’ve been read), disable forwarding, and set time limits on messages.
3. Anticipate and Prevent Errors
Don’t assume everyone will use technology correctly. Sooner or later, someone in your organization will send ePHI to the wrong email address, forget a HIPAA rule or make some other mistake — unless your system can stop user errors and retrain employees.
Virtru DLP can automatically stop potentially non-compliant emails before they’re sent. Our HIPAA Compliance Rule Pack detects sensitive information, such as patient names, national provider numbers, dates, and ICD- and ICD-10 codes, triggering customizable rules that prevent breaches. Rules can be set to automatically encrypt the sensitive message or they can also be set to pop up warning messages that double as email security tips, retraining your users, while stopping them from breaking compliance. Rules can also be set to strip attachments and even forward copies of suspicious messages to supervisors. Watch this short demo to see it in action:
HIPAA email compliance doesn’t have to be hard. Virtru email encryption allows hospitals to ensure ePHI is never left unsecured because a patient doesn’t understand your portal, or another facility uses different software. That means your organization can implement a single set of security practices for all ePHI, simplifying workflow and radically decreasing the odds of a HIPAA breach.
Interested in learning more about how Virtru protects HIPAA compliance in the cloud? Let’s talk.