How To Set Up A HIPAA and HITECH Compliant Email
In this day and age, everyone has an email address. In fact, everywhere you look online people are asking you for your email. And it’s how much of business gets done.
Some companies email out coupons and discounts. Some companies, their latest blog post or even appointment reminders. Others seem to email out something every hour causing many of their customers or prospects to unsubscribe from their email list.
The medical field has a lot that they can do through email, but your email service has to be HIPAA compliant – and there are a few things you should know about that.
Why Your Email Needs to be Compliant
This is best answered by answering the following question – what information is protected by HIPAA?
This is by no means a comprehensive list, but rather a list of things deemed Protected health information (PHI) when associated with a Doctor or service covered under the HIPAA umbrella. And particularly of note to the digital world:
- First Name
- Last Name
- Email Address
- Phone Number
- IP Address
Anyone of these things is considered PHI. So, a collection of email addresses of your patients in your email address book is considered PHI. Add to that online address book the patient’s name and phone number and you are waking in some very grey area if your email service is not compliant.
What is a HIPAA compliant email
Let me start off with a small caveat – HIPAA compliance is always updating and changing. And the regulations can be left open to interpretation on many fronts. So, consult your lawyer before you make any drastic changes to your operation.
Now, let’s talk about the obvious on what is NOT considered a HIPAA compliant email service. And this is anything that lies in the ‘free email’ category. Gmail, Yahoo, Hotmail, Outlook and AOL – if you are still using it – are all free email services. These are not HIPAA compliant because they don’t treat your emails and data as securely as required.
A HIPAA compliant email service has the safeguards in place to treat your data – and your patients protected data – to a minimum of the standards set in the regulations.
At a bare minimum, your email provider needs to sign a Business Associates Agreement (BAA) with you staring that they will protect, encrypt, and secure your data. This also holds them accountable for maintaining the standards of protection set forth in the HIPAA and HITECH act.
What are some viable options for compliant email?
There are several options on the market today and each of them come with a price tag. Here are a few found from a recent Google search.
For more information on what each email system does you can click on the links for each.
Setting up with G-suite
Yes I know I just said that Gmail wasn’t HIPAA compliant. But G-suite, Google’s paid service that integrates with YOUR domain name, is a different story entirely.
Google will ensure that their G-suite is kept to HIPAA compliance standards and will sign a BAA with you. And their product doesn’t cost you an arm and a leg. As an added bonus, G-suite comes with the most comprehensive set of additional features that are useful in other areas of marketing and running your business.
Note: The information from here down is subject to change based on Google’s updates and any additionally required information for HIPAA compliance. For questions and assistance, you can contact Google directly, or schedule a call with a member of our team.
Step-by-step Guide – HIPAA Compliant G-suite Email Account
Create G-suite Admin Account
Go to gsuite.google.com and click on the ‘Get Started’ button in the top right corner of the screen. Click ‘Next’ to agree to the 14-Day trial of their services.
Answer a few basic questions about your business on the next 3 screens. Then you will be brought to the selection screen where you have to choose your account edition. Unless you know exactly what you are looking for I’d start with the $5/user/month basic package. You can always change this later.
This next screen is where you are asked about if you own a domain or need one. G-suite requires a unique domain name. So, if you don’t have one, you can purchase it from your desired registry, like namecheap.com. You would then click ‘Yes, I have one I can use’. If you DON’T own a domain and don’t want to buy one separately, you can click on ‘No, I need one’ and Google will take you through the process of purchasing a domain name.
After you have the domain information figured out you will be taken to a screen that confirms that you want to set up an account for the domain. This does NOT change your current email yet. You still have more steps to do for that one. Click ‘Next’. You’re almost done creating the admin account.
Set the name of the admin user and create your username (an email address) and password that you will use to login to the admin section of your G-suite.
Verify you’re not a robot with a quick captcha and you’re taken to the confirmation and payment info pages.
Yes – this is a 14-Day free trial, but they want your card information in case you don’t cancel in that time period.
Create all USER emails
Once you’ve created the account you are taken to the admin console. From here click on users to create all the mailboxes that you need.
Now, let’s talk about the mailboxes that you need. In G-suite there are two types of emails, 1) user emails that require the ability to send and recieve; and 2) group emails that have the need to receive but don’t need to send. So, in my case I need an email for myself, [email protected] And I need an email for my staff. But I don’t need a mailbox for [email protected] or [email protected], those emails only need to forward to the person responsible for answering them.
In this step we are only creating the mailboxes for the USERS. Each of these mailboxes are charged at $5 per month.
Click add user – the plus sign down in the bottom right corner of the screen – and follow the prompts to create the username and set the password if you so desire.
Once that’s done you can either click on “add another user” or “done” and move on to the next step.
Create all group emails (and permissions)
This step is where you configure all the additional emails that need attention but may not need an email inbox as they are generally forwarded to a team member to be handled.
From the Admin Console (click on the three lines in the top left corner of your screen and then on home to get back to the main console), click on groups.
The first few steps are almost exactly like creating a user. Click the create group plus sign in the lower right corner. Then set the group name and email associated with the group.
From here, ensure that the access level is public (default) and unless you want everyone in the company to get the emails (I recommend against setting this up initially) leave the box blank and click create group.
Now you are taken to the individual group administration setting. This next step is VERY important so that anyone outside your company can email you at that new email address.
Click on Access Settings, then permsissions (found on the left hand side), and posting permissions. Scroll down to Post and change this setting to “Public”. The click SAVE at the top of the screen.
Close down the groups tab that opened, and back in the main admin tab for the individual group click on Manage users. This is where you add the email address of anyone in your company (or outside it if you want) to receive the emails sent to that address.
For example, I am adding Dan, the user I created in the last step as a member of the admin group.
All members listed in this group will receive any emails that are sent to [email protected] If there is only one email in the group, then only one person will get those emails forwarded. If however, there are NO emails in the group, then no one on your team will receive the emails. The caveat here is that you can retrieve the emails sent to the group email from another section of G-suite; so all is not completely lost.
You’ve only got a few major steps left now that you’ve gotten your email addresses set up. From here, it’s signing the Business Associates Agreement (BAA), a few additional security settings, then connecting your mail records and waiting for the internet to do it’s thing.
Now, on to the BAA.
From the Admin Console, click on the Company Profile.
Then expand the profile section.
Scroll down to Security and Privacy Additional Terms. Review and Accept the G Suite HIPAA Business Associate Amendment and follow the prompts given.
You now have a signed BAA with Google and your company.
Connect domain through MX records
This step depends on what registry or domain hosting service you are using. Several hosting companies have quick methods to update your Mail Exchange (MX) records to point to G-suite. Also, for most hosting companies you can contact your support person and they will be happy to walk you through this process.
If you’re fairly technically inclined then you can update your MX records with the following values
Wait up to 24 hours for propagation
The last thing for you to do is to wait. The internet propagation time is up-to 24 hours. While setting up a G-suite email system is usually immediate it may take some time for the rest of the mail servers in the world to capture the new settings.
Because of this small fact, it’s best to migrate over to a new email system during your off hours.
Ensuring Email Encryption
At this point, you have a HIPAA compliant email system. In the next blog post I’ll show you how to send encrypted emails to your patients or other doctors/insurance companies to ensure that the PHI stays protected.
There you have it. A cost-effective way to ensure that you have HIPAA compliant email for your whole office.
Now, for less than the cost of one high-end coffee per user per month you have ensured that your practice and your patient information is that much more protected. And you’ve covered your rear from a HIPAA compliance perspective.
What email service do you use in your practice? Did we miss one that you would like us to review? Let us know in the comments.