1

Is there a section in the HIPAA regs that say your not suppose to use your business hipaa qualified email for personal use?

Can someone put this in the HealthCare group I didnt see it listed when I chose the group

10 Spice ups
2

It states that personal email accounts cannot be used for business purposes so in effect you also could not use business for personal use as this would make your business email be considered as a personal account…

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”.

4 Spice ups
3

As a good policy, you should disallow use of personal email address for your medical practice workings.

Mainly this is due to someone leaving the practice and you(a practice) no longer have access to the contents of their mailbox. Essentially they just walked away with patient info(PHI) that you can’t control.

1 Spice up
4

I have to disagree with your logic on this. Just saying 1 is not > 2 does not automatically insure that 2 is not > 1.

In other words, the prohibition on using personal email accounts for PHI relates to not using an account that doesn’t have adequate protections. Most personal email accounts are not housed on a secure server that prevents access by admins outside your organization.

An occasional use of work email accounts to send personal emails is not a violation of HIPAA in my opinion. Whether it violates company policy or not is up to your executive management team.

5 Spice ups
5

It’s all pretty nebulous on purpose (so they can decided what it means later), but you essentially just have to make sure nobody sends any patient information via email unless it is protected in some way. They don’t really specify what that means, but for us, we have pretty much said NO patient information EVER via email, even if it’s internal or they claim it is “protected”. It’s up to the employee and their supervisor whether they will allow personal emails at work. It if officially not allowed, however enforcement only happens when someone really abuses it. We just hope that the “No Patient Information via e-Mail” policy keeps them aware of the severity of it when they might use their personal email.

We can only be sure that our system is secure and there really aren’t any universally accepted “encrypted e-mail” systems out there to use. Once it leaves our servers, it’s out in the wild. We can’t, of course, adequately police this, but policy is the best tool we have to try and convince the eventual auditor that shows up that we did our best and followed the rules as they were written.

1 Spice up
6

Personal email accounts can’t be used because of the of the data being sent (ePHI) and the lack of required securities in place; NOT because it is labeled as “personal”. What classifies as “personal email content” is completely different as that is basically just the subject matter. Company policy should dictate the use of email in the work place, but HIPAA does not specify you can’t talk about your own personal matters. It only relates to ePHI and the security/protection of that information.

We have a company policy against using company email for personal content, but it can also be a very gray area. What if someone from work sends me an email asking about the loss of my pet? What about emails I may receive from Spiceworks outside of vendor contact, such as contest emails or that someone replies to this thread? Use is frowned upon, and excessive use might result in a write up if previously warned and effects job performance or the network (think spam etc).

3 Spice ups
7

First of all, the OP (MI32) asked about using “…your business hipaa qualified email for personal use…”, not personal email for “hipaa qualified” use. Nothing in the regulations would expressly prohibit sending or receiving personal emails on a system intended to be used for communicating ePHI. Now, I can think of some reasons for a policy against that, but those flow from risk management concerns, not from any statutory prohibition.

A few misconceptions expressed above.

HIPAA regulations do not prohibit the use of email to carry ePHI.
HIPPA regulations most certainly do require that steps be taken to prevent the unauthorized release of ePHI, as Glenn_P points out. That would, IMO, pretty much rule out the use of any email system that I did not control from end to end.

HIPAA regulations do not prohibit the use of email to carry ePHI when the patient requests it. Patients get to choose how we communicate with them. I’d be inclined get an acknowledgement of the risk, but again, statute doesn’t prohibit this.

HIPPA regulations are not “nebulous on purpose” in order to nefariously provide “gotcha” tools to “the government”. They make very few specific requirements it’s true, but those requirements make it clear that you need to “do it right” and there are, within those regulations themselves, copious how-to references. This is a good thing for two reasons. One, it forces CE’s and BA’s to pay attention to the security and privacy of their patient’s/customer’s information, not just check off boxes. Two, it allows for a degree of flexibility on meeting those few requirements. If you do a solid risk assessment (one of those few specific requirements) and address what you find according to the referenced frameworks, guidelines and standards, you’re likely to be compliant.

1 Spice up
8

What makes the email account HIPAA qualified?

HIPAA only requires electronic transmission of PHI be encrypted.

Does this business email encrypt all transmission? If it does then its HIPAA compliant and there is no harm or HIPAA violation in employees using it for personal uses. The business email in questions sends email to personal patient accounts anyway.

Employees using business emails for personal use is a company policy violation not a HIPAA violation.

9

I found a simple wait to meet requirements on our domain work e-mail.

Citrix Sharefile https://www.sharefile.com/

Affordable and simple. You don’t need an account for everyone in the office so if you want to just a few users sending secure messages like we do for our Medical Records Department its works out well. As an nice outlook integration.

Only drawback is its not that simple if you just want to talk to someone containing PHI, as you have to 1st type it into a word doc and then send that using sharefile so its encrypted. We mostly use it for sending records as PDFs and other attachments.

I also agree with JoshuaRRTX, if you can’t control the PHI after the staff member leaves, then you never had control over it in the 1st place. Personal E-mail for PHI is a no-no.

Hope this will helps someone

10

That HIPAA “requires” encryption is a common misunderstanding. It does not, in so many words. What it does require is that you protect ePHI from being exposed when it shouldn’t. So, if you are sending ePHI via email, without encryption, across an unsecured network, you are de facto in violation. If the path your email takes does not expose it to unauthorized parties, you are not in violation. You’ll want to be prepared to prove that, but the same can be said of virtually all controls chosen to comply with the Security and Privacy Rules. Encrypting data, using an approved technology, provides “safe harbor”. Doc’s laptop disappeared from his car, again? If you can provide reasonable proof that all the ePHI on it was suitably encrypted, you get to drop anchor in that “safe harbor” and the breach notification requirements do not apply. The same applies wherever you might choose to use encryption as a tool to prevent unauthorized or unintentional disclosure.

11

I don’t think it’s a HIPAA violation, but I probably wouldn’t do it. Just use a free account from Gmail or somewhere else because people tend to be more lax on their personal stuff, especially users.

12

You can not just use any email service for ePHI. Free Gmail is not HIPAA compliant and is a violation. We offer full HIPAA compliant email services for $8 a month per user. Its included in our full VSD service as well, making any office fully HIPAA compliant.