Is Hushmail HIPAA Compliant?
Email communication is standard in nearly every industry, healthcare included. Employees need to communicate with one another plus sometimes with clients or patients. But most industries don’t need the stringent security requirements that healthcare industry organizations do, so regular email programs are the norm. In healthcare, however, regular email services just don’t cut it when it comes to guarding protected health information. And they definitely don’t measure up to the Health Insurance Portability and Accountability Act (HIPAA) standards.
So how does a healthcare organization handle its email needs while maintaining HIPAA compliance?
You will either need to use an email platform that is specifically designed for HIPAA compliant organizations or one that has guaranteed that they meet the requirements of HIPAA. As one of your email options, let’s look into if Hushmail is a safe and secure communication platform option.
What is Hushmail?
Hushmail is a communication platform designed specifically for healthcare providers and their patients to be able to communicate in a secure and protected manner. This includes encrypted email, web forms, and electronic signatures. E-signatures are ESIGN and UETA compliant, which means Hushmail’s forms use data encryption and a secure connection to the server, as is required of healthcare providers. Their platform is built to be HIPAA compliant, and they stand by that by providing a Business Associate Agreement (BAA) to their clients.
Hushmail works like other email accounts – everyone in your organization can have a Hushmail account. The difference is it has added security features to protect your patients’ sensitive data and ensure that your organization’s email remains HIPAA compliant.
It even has additional features that give you the option to build secure web forms, so intake forms and signed consents can be emailed to you.
What Does it Mean for an Email Provider To Be HIPAA Compliant?
HIPAA compliance is critical in order to secure Protected Health Information (PHI) via email. As a healthcare provider, you have access to sensitive patient information, which must be protected. HIPAA requires that it be secured and guarded in the way that it is stored and shared. That means any PHI must be protected whether physically in your office or electronically in your email communications.
Regular email programs are not HIPAA compliant – and they aren’t meant to be. So as a healthcare organization, you can’t just use any email program to communicate with patients.
Any PHI that is included in an email without proper encryption is a HIPAA violation that can cost your organization both in fines and patient trust.
However, email communication can be compliant if third-party encryption software is used, and the appropriate Business Associate Agreement is signed.
In order to be compliant, software must have security features implemented to protect the confidentiality, integrity, and availability of PHI.
Does Hushmail Meet the Standards for Compliance?
Hushmail offers the following security features to protect PHI – and to make your office email communications HIPAA compliant:
Encryption — Hushmail automatically encrypts emails between two Hushmail users and provides an encryption option for sending emails to recipients who use email services other than Hushmail.
Two-step verification — When signing into Hushmail from an unrecognized device, like a new phone or workplace computer, users must enter a code to verify their identity. The code is sent to their phone or alternate email account for an additional layer of security.
Access management — Hushmail includes the ability for your office to set up, configure, and delete accounts. This allows the administration to limit who has access to PHI and to monitor employee usage.
Email archives — Hushmail keeps records of emails sent and received by all users, providing trackable data in the event of an audit.
So yes, Hushmail meets the standards for secure and encrypted email, but there’s one more piece to compliance.
Business Associate Agreement (BAA) with Hushmail
A secure email program and server is essential to HIPAA compliance, but there is one last step to take. Under the HIPAA Security Rule, software providers that may have access to PHI are considered business associates of their clients. A business associate must sign a legally binding agreement documenting the permissible and impermissible uses of PHI between the organizations.
A Business Associate Agreement documents that both organizations are held accountable to HIPAA regulation. If a BAA is not signed with your email provider and PHI is ever sent via email, then you are not HIPAA-compliant.
Hushmail makes it easy by providing a signed BAA as part of your contract with them.
Is Using a HIPAA Compliant Email enough?
Protecting PHI in email communications is essential for HIPAA compliance, but it’s not enough to make your company fully HIPAA compliant. Safe email practices are just one factor. HIPAA-protected information must be carefully guarded in all office operations. Your staff should be trained in all aspects of HIPAA compliance that affect your office. That includes verbal sharing of PHI, securing printed information, and making sure computers are password protected and locked when unattended. More information about how to comply with HIPAA completely can be found here.
What’s the Verdict?
It’s safe to say that Hushmail is HIPAA compliant, as long as it’s used and administered appropriately, and your signed BAA is in place.
Achieving and maintaining HIPAA compliance is not an easy task. It requires in-depth knowledge of HIPAA regulations and how to implement the appropriate safeguards in your practice.
The good news is you don’t have to do it all yourself. Software like Hushmail is available to take the guesswork out of your day-to-day operations. And companies like Accountable are here to guide you through the rest.
Accountable is a software solution that makes HIPAA compliance simple by clearly outlining the requirements and policies your company needs to manage your HIPAA compliance. We provide all the tools you could need to train employees, manage business associates, and identify potential risks of a breach. Don’t wait until there’s a data breach to take HIPAA compliance seriously. Your patients and clients depend on you to protect them.