Free Email Accounts and HIPAA Compliance

Let’s talk about the elephant in the waiting room.

If you’re subject to HIPAA and use free email, you’re taking an unnecessary risk with your business. 

FYI, free email accounts typically end in domains such as @yahoo.com, @gmail.com, @live.com, @outlook.com, @me.com, or @cox.net.

Here’s one question to determine if we’re talking about you: Do you have a Business Associate Agreement with your email provider?

If you’re wondering, “What’s a Business Associate Agreement?”, or said NO, consider the following:

What’s a Business Associate Agreement? 

Any entity you work with that has access to patient health information is an official HIPAA “Business Associate” of yours.  Any email provider hosting your inbox with patient health information is a Business Associate. 

Your Business Associates must have Business Associate Agreements with you. 

These agreements typically include wording stating that the Business Associate acknowledges the liability, explains how they plan to store the data securely, what happens if data is breached, and more.

Spoiler alert: no free mail provider will sign this agreement with you because there are liabilities and costs associated with being a Business Associate. 

So you don’t have a Business Associate Agreement with your free email account, what’s the big deal? 

No agreement, and there’s patient health information? That’s a breach. If your patient reports you to the Office for Civil Rights for any reason, or if you’re randomly selected, and you’re audited, this will be discovered. Ignorance of law excuses will not work here. 

Real example: Phoenix Cardiac Surgery paid a $100,000 HIPAA fine because they were using an insecure Gmail account. Exact wording “failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its patient health information”.

Another downside of going getting fined is: your reputation and online ratings will take a hit. If you search for the above practice, the front page is full of HIPAA fine related information. The Office for Civil Rights literally has a page called the HIPAA Wall of Shame. 

What are the other downsides to using a free email?

Having a Business Associate Agreement is just one of several HIPAA requirements with storing and transmitting patient health information. If you’re using free email, you’re probably not using unique accounts for each staff member, encrypting patient health information while it’s in transit, and you’re missing out on functionality, such as multi-factor authentication and enhanced anti-phishing/anti-spam protection. 

Free email accounts look unprofessional and will discredit you with savvy employees and patients. Read more about this more here. 

What can you do about it?

1. Pick a domain name host (aka a registrar) and find an open domain name that suits your business. We recommend namecheap.com.
2. Work with an IT company and purchase a business-class email platform such as Office 365 or G Suite. Your IT company will need access to your registrar account to set up the connection between your email platform and domain name.
3. Sign a Business Associate Agreement with the business-class email platform provider.
4. If you need to email protected data outside of your company, work with your IT Company and purchase an outbound encryption add-on solution so that your data is encrypted in transit.

Please reach out to us if you have any questions. We are here to help. Contact PK Tech.