Are you sure your email provider is HIPAA compliant?

What happens if my email provider isn’t HIPAA compliant?

Not having a HIPAA-compliant provider puts your practice at great risk of cyberattacks, data loss, and data breach. This could mean thousands—even millions—of dollars in settlements, a tarnished reputation, and a huge hit that your practice may never recover from.

Case in Point:

In February 2019, a malicious actor was able to compromise three email accounts of Connecticut-based physician group Starling Physicians. The attacker was able to get their hands on the protected health information—social security numbers, names, addresses, credit card numbers, passport numbers—of nearly a thousand patients.

The affected individuals were only informed about the breach nine months later, in November 2019.

It is likely that Starling Physicians’ email setup and other security parameters did not meet HIPAA standards. A Business Associate Agreement (BAA) should have been signed, multi-factor authentication (MFA) should have been enabled, email encryption should have been ensured, and sensitive information should not have been stored in the email accounts.

A data breach such as this could result in Starling Physicians facing hefty fines for violating HIPAA, PCI, and Connecticut data breach laws.

It’s important to remember that HIPAA compliance is a shared responsibility between the user and the service provider.

In terms of email services, this means that your practice is responsible for ensuring security and HIPAA compliance in email setup and usage, while your email service provider is responsible for ensuring that the email environment itself is fully capable of implementing such secure and HIPAA-compliant protocols.

HIPAA Compliance Check:

Popular Email Providers in the US

Let’s check out three of the most popular email providers in the US and see if they’re secure enough to be your healthcare practice’s main communication tool.

Gmail Business: YES ︎✔︎

Gmail is the email service developed by Google. It is currently the most dominant online email service provider with over 1.5 billion active monthly users all over the world. 

Because Gmail is backed by the power of Google, it has the capacity to become an all-in-one portal for your calendar, news, file storages, to-do list, Youtube, photo hosting, and even blogging activities.

But Gmail is known for more than just its extensive features. It is also popular for its superior security features that include two-factor authentication, detailed audit log to track user activity, and thorough malware and virus scanning. 

Gmail Business customers that are subject to HIPAA, such as healthcare practices, are protected and bound by a Business Associate Agreement (BAA), which they are required to sign with Google. 

Gmail Business even has a HIPAA implementation guide ready to help customers understand how they should organize data on Google services when handling PHI.

Gmail Business’s security and privacy practices have been HIPAA compliant since 2013.

If your clinic is not on G Suite yet or if you only have free Gmail accounts, it would be best to consider switching over to a secure, HIPAA-compliant environment like G Suite Basic, G Suite Business, or G Suite Enterprise.

Rates start at $6 per user per month, but you can get a much better deal by contacting a certified G Suite partner like ER Tech Pros. Our certified IT and cloud experts can also ensure that your emails are set up to make the most of the security and convenience G Suite has to offer.

Yahoo! Mail: NO ✘

Yahoo! Mail is the email service developed by Yahoo!, which is now a subsidiary of Verizon. It has been in the email service industry a lot longer than other providers, and was way ahead of everyone else when the email provider competition first started.

Unfortunately, Yahoo! Mail hasn’t been able to keep up over the years and has lost much of its market share to its competitors. Despite slipping down a couple places in the rankings, its longevity has still generated a flow of loyal customers.

Yahoo! Mail currently has over 225 million active monthly users, but should healthcare practices be among them?

Is Yahoo! Mail HIPAA compliant? Unfortunately, the answer is no.

Despite their strong password requirement and MFA feature, Yahoo! Mail does not offer Business Associate Agreements (BAAs); neither does it explicitly claim to have encrypted storage for emails. Yahoo! Mail’s audit logs aren’t enough to be HIPAA compliant either. 

If you are sending emails that contain PHI using Yahoo! Mail, you could be at risk for a HIPAA violation.

It would be best to contact ER Tech Pros and have certified IT security specialists look into your email setup, assess your clinic’s email security needs, and provide you with the most effective and practical solutions for them.

Outlook for Business: IT DEPENDS…

Outlook or Microsoft Outlook is primarily an email application that falls under the Microsoft Office Suite. It is especially popular in the corporate world and has more than 400 million active users.

Outlook can be a stand-alone application, but can also be used with several other Microsoft products as collaboration tools for intra-organizational tasks. 

An interesting thing to know is that three Microsoft products have the word Outlook in their names, and not all of them are HIPAA compliant.

• Outlook.com is Microsoft’s web-based email service. This used to be Hotmail.com. Outlook.com offers free email accounts that are, unfortunately, not equipped to handle PHI. It does not sign BAAs for users and is not HIPAA compliant.
• Outlook on Microsoft 365 Business is an email account that comes with the paid version of Office 365. Your Outlook email account on Microsoft 365 is HIPAA compliant. Rates start at $6 per user per month.
• Outlook on your computer is an email client that you install on your desktop. It is a full-featured email and calendar application optimized for desktop and laptop use. You can add multiple email services to it. If your email service and your computer are both set up to be HIPAA compliant, then Outlook on your computer should be as well.

If your practice is handling PHI and your email provider is Outlook, you’ll need to make sure that you’ve configured Office 365 and/or your computer to be HIPAA compliant.

Remember that not all Outlook products are HIPAA compliant straight out of the box …you’re going to have to double-check that it is and enable features such as two-factor authentication.

Make sure you work with network and desktop support experts from a reputable IT service provider like ER Tech Pros when setting up your clinic’s Outlook accounts.

They can see to it that all HIPAA requirements for your email provider and computers are met and that your practice is well protected.

If you think you need to switch to a new email provider…

In the same way practices have unique needs, every email provider has a unique set of strengths and weaknesses. It’s important to take a good look at them first before using them in the workplace.

Not all email providers are equipped to handle your clinic’s needs and certainly not all of them are secure enough to handle emails that contain precious PHI.

If you think your current email setup or network security needs assessment and improvement, don’t hesitate to reach out to the security experts here at ER Tech Pros.

Don’t let unsecured tools put your practice at risk.