Let’s talk about the elephant in the waiting room.
If you’re subject to HIPAA and use free email, you’re taking an unnecessary risk with your business.
FYI, free email accounts typically end in domains such as @yahoo.com, @gmail.com, @live.com, @outlook.com, @me.com, or @cox.net.
Here’s one question to determine if we’re talking about you: Do you have a Business Associate Agreement with your email provider?
If you’re wondering, “What’s a Business Associate Agreement?”, or said NO, consider the following:
Any entity you work with that has access to patient health information is an official HIPAA “Business Associate” of yours. Any email provider hosting your inbox with patient health information is a Business Associate.
Your Business Associates must have Business Associate Agreements with you.
These agreements typically include wording stating that the Business Associate acknowledges the liability, explains how they plan to store the data securely, what happens if data is breached, and more.
Spoiler alert: no free mail provider will sign this agreement with you because there are liabilities and costs associated with being a Business Associate.
No agreement, and there’s patient health information? That’s a breach. If your patient reports you to the Office for Civil Rights for any reason, or if you’re randomly selected, and you’re audited, this will be discovered. Ignorance of law excuses will not work here.
Real example: Phoenix Cardiac Surgery paid a $100,000 HIPAA fine because they were using an insecure Gmail account. Exact wording “failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its patient health information”.
Another downside of going getting fined is: your reputation and online ratings will take a hit. If you search for the above practice, the front page is full of HIPAA fine related information. The Office for Civil Rights literally has a page called the HIPAA Wall of Shame.
Having a Business Associate Agreement is just one of several HIPAA requirements with storing and transmitting patient health information. If you’re using free email, you’re probably not using unique accounts for each staff member, encrypting patient health information while it’s in transit, and you’re missing out on functionality, such as multi-factor authentication and enhanced anti-phishing/anti-spam protection.
Free email accounts look unprofessional and will discredit you with savvy employees and patients. Read more about this more here.
Please reach out to us if you have any questions. We are here to help. Contact PK Tech.