Almost everyone has heard of HIPAA, but the reality is that most healthcare practitioners are only partially compliant at best. Whether it’s unencrypted email or computers, shared accounts, or something more insidious, there’s almost always room for fairly straightforward improvement, especially in smaller practices without dedicated compliance staff.
There’s a wide range of statistics regarding the number of PHI breaches, average cost per breach or violation, and eye-watering total fines and costs in the US, from a multitude of news articles and fear-based sales tactics. We don’t subscribe to those sales philosophies, but the simple fact is many halfhearted compliance attempts are less efficient or more costly than doing things the right way. Non-compliance is simply bad for business.
We’re intimately familiar with the regulatory landscape for medical practices. We’ve delivered fully HIPAA compliant solutions that offer a significant increase in productivity and capabilities of a practice, including paperless office, modern communications, and easy-to-use software including EHR/EMR, EPCS, patient communication, and intake forms.
Of course, we understand that not all practices are ready to make substantial changes to their operations. So here’s an extremely basic overview of the first steps of the compliance journey.
HIPAA low-hanging fruit
Don’t share accounts or passwords
HIPAA requires individual accountability and audit trails for access to digital PHI. It can be extremely convenient, and sometimes even seem necessary, for staff to share an account, but there’s almost always an equally functional option that doesn’t violate this most basic requirement.
While we’re on the subject of accounts and passwords, this is a great time to mention multi-factor authentication. Whether it’s handled via text messages, authenticator apps, push notifications, or physical security keys, MFA is a great way to defend against both account sharing and account compromise, and help ensure a one-to-one relationship between people and accounts.
Ensure PHI is encrypted
This requirement is singlehandedly responsible for entirely too many headaches in modern medicine, and probably the single biggest reason we’re still using faxes in the 21st century. Email is generally considered non-compliant with HIPAA requirements for transmission, because most email servers will silently revert to insecure delivery if the recipient does not support encryption. Fortunately, there are simple tools to modify that behavior and ensure effortless, encrypted, compliant email, our favorite of which is featured in the next section.
Sadly, not every healthcare and insurance office is willing to let go of their fax machines, and for a modern digital–perhaps even paperless–office, it’s inefficient at best to maintain one. In order to exchange records with fax-based providers, it’s necessary to maintain fax capabilities, but not necessarily a fax machine. Most internet (VoIP or UCaaS) providers offer fax services too, and the good ones will even sign a BAA so they can be used to send and receive PHI.
And at rest
It seems fairly intuitive, but bears repeating that patient information must be encrypted at all times while in a covered entity’s possession. Unlike the old days where that meant special software, startup passwords, and long boot times, most modern computers and operating systems now offer seamless native encryption. Both Bitlocker on Windows (Professional editions and above), and FileVault on Mac OS, can help meet this requirement for free.
Know your vendors
Finally, make sure your vendors know you. It’s the responsibility of every covered entity to ensure that every party that stores, receives, or transmits information on their behalf both complies with the encryption (in motion and at rest) requirements, and signs a Business Associate Agreement (BAA). These agreements make it clear to both parties what their respective privacy obligations are both during and after any contract term. Most vendors whose products meet HIPAA requirements already have their own BAAs written and available upon request, but if you need an example, the department of Health and Human Services has published a free example BAA available for download here.
Together, Paubox, Broadvoice, and Bitdefender comprise the foundations of our standard HIPAA-covered entity package, along with Google Workspace or Office 365 for email hosting, team communications, and file sharing. We also do EMR/EHR evaluation, selection, and deployment/migration, but that is a process that requires more consultation.
Without a doubt, the most dramatic, immediately impactful change we can make to a practice is deploying fully HIPAA-compliant email. There’s no better way to streamline communications with patients or other practitioners, and everybody appreciates the convenience of not running to a fax machine.
Not all “secure email” is created equal, and there are several disparate methods that are all technically compliant. We’ve worked with many of these vendors and approaches over the years, but Paubox has cemented itself as our go-to solution.
Simply put, Paubox is seamless. Initial setup is straightforward, and can be completed in just a few minutes with no downtime. Once it’s up and running, all outbound email is sent encrypted; there are no applications, browser extensions, or special subject lines to deal with in order to ensure compliance. It works seamlessly even from mobile phones, and leaves no opportunities for human error. Even better, Paubox works by validating an encrypted connection with the recipient’s email server, and is able to deliver compliant messages as normal emails more than 97% of the time. We can’t overstress the value of avoiding poorly designed patient portals, and patients appreciate the increased convenience and natural communication this approach offers. Finally, pricing for the fully-HIPAA-compliant Standard tier is both transparent and easy to understand, and it’s extremely affordable even for sole practitioners.
But what is a “HIPAA-compliant email” anyway? We briefly mentioned Google Workspace and Microsoft 365 above, as the overwhelming majority of businesses today use one of the two for their email. Both products offer a BAA and will keep data encrypted at rest, but neither can guarantee encrypted delivery, which violates the in-transport encryption requirement. Paubox acts a middleman, enforcing encrypted communications with both your mail server and the recipient’s. In the rare case that the recipient’s mail server simply does not support encryption, Paubox will instead send them an invitation to a lightweight secure messaging portal, whereas most email platforms would silently deliver the message unencrypted and cause a violation. Because it was designed specifically to work with common email platforms like Workspace and 365 and address their lack of guaranteed in-transit encryption, the entire process happens invisibly.
It’s worth mentioning at this point that there’s no bright line or gold standard for HIPAA compliance. Apart from a few concrete “must” and “must not” rules, compliance is largely based on effort and avoidance of unauthorized disclosure of PHI. The closest thing that exists to a universally-accepted HIPAA certification is HITRUST CSF, or the Health Information Trust Alliance’s Common Security Framework. Paubox has been HITRUST certified since 2019, making them one of the (if not the) first HIPAA compliant email providers with that status.
Like every solution we recommend, Paubox is well positioned to grow with your business. Their Email Security Plus and Premium tiers offer all the features of Standard, but add a wealth of additional features such as inbound email security, ExecProtect executive impersonation protection, and their zero-trust email philosophy to authenticate incoming messages before they make it to your inbox. If you want to reach out to groups of current or prospective patients, the Paubox Marketing platform is probably the only compliant way to do so.
It’s near impossible to run a business without making and receiving at least the occasional phone call, and that’s even truer in healthcare. Comparing phone service providers is far beyond the scope of this article, but we wholeheartedly recommend Broadvoice’s b-hive platform. The pricing is extremely competitive, the phone system and call handling are almost infinitely customizable, and unlike many other cloud communications providers, they will sign a BAA without limiting or disabling features.
How does security software play into HIPAA compliance? There are a few good reasons. Chief among them is, as we covered above, HIPAA requires covered entities to keep data encrypted at rest. In other words, any computers with copies of PHI must be encrypted. Windows and Mac OS can do that for free, but there’s a caveat: it’s difficult, and usually unsustainable, to manually track and enforce encryption policies across multiple computers. Bitdefender’s Full Disk Encryption add-on directly addresses that limitation, delivering centralized management and reporting of encryption status across the whole organization. Better still, the encryption functionality is built into the main software agent, so you also get top-tier antivirus, ransomware mitigation, and more for the same effort.
While insurance is firmly outside our areas of expertise, we do suggest thoroughly reviewing any general, professional, errors and omissions, or cyber liability policies that might be in place. Many offer discounted premiums for policyholders with documented antivirus protection, and some even require it as a condition of coverage; either way, it can quite literally pay for itself.