You receive an email from a patient, vendor or another medical practice and you’ve got open, red padlock. If you reply with any protected information (including the copy of their email) you may have just violated HIPAA rules.
Here’s why: HIPAA requires you transmit patient all data securely. Your email provider didn’t receive their message securely. which might mean you can’t send them emails securely. (If you’re not using Google Email you won’t see the red lock, but the advice still holds).
What to do:
Don’t send that protected information until you can verify the recipient can securely receive emails.
Potential explanations for the red padlock include:
- The sender’s email service doesn’t support secure (TLS) email and you can’t send them secure email.
- Email was sent by a scanner or web service that doesn’t use best practices and maybe you can (or can’t) send them secure email.
- Email was sent by a bad actor / impersonator and you should take appropriate steps ranging from deleting the email to contacting the purported sender or (rarely) law enforcement.
Check that both their and your email services supports a security feature called “TLS” with a tool like this email address TLS checking tool (a result like the below will indicate that they can receive secure emails)
You generally need to verify only once per domain, so if you one@chimbly.com passes, two@chimbly.com should pass.
Generally following theses steps will get you closer to compliance with HIPAA, although it’s not foolproof. Rather than training all staff to follow these steps, you can ensure all emails sent by your organization are securely transmitted.
Best Practice:
You can avoid much of the headache by requiring all outbound messages be sent securely. Unfortunately not all email services (and none of the common free services like those with @gmail.com addresses) offer this feature.
Google Apps, Office 365 and Exchange all offer the feature but it must be activated. When enabled you will receive bounced emails from any recipient’s whose email doesn’t offer secure email (that’s what you want – to avoid violating HIPAA, you’ll just have to contact them another way).
Notes:
While the above information is mostly accurate, there are exceptions to the rules as the article was written with end users in mind and getting them close to compliance. Chimbly Consultants LLC neither warrants the above information nor accepts liability for it’s practical application.
