HIPAA TIP: Email Policy and Ethics

If your organization does not have an email policy in place now is the time to execute one. The importance of an email policy is to communicate to the workforce exactly what the company expects when sending/using emails for business correspondence.

We have all fallen into the “easy trap” of emailing since this is a quick and efficient way of communicating; however, there needs to be specific guidelines on what can and cannot be used when sending emails from a business address.

Contained in the email policy should be a general statement regarding safe and fair use of email along with the code of conduct for the organization: ethics, legality, confidentiality, and proper content. If the organization regularly sends confidential / sensitive information, especially when this would fall under the HIPAA Security Rule requirements, training on email and the proper way to encrypt is equally important.

Specific language or areas that need to be covered in the email policy include:

  • Subject line should be specific to the recipient and only the intended person or persons are receiving the email. Group emails can be used only when necessary for the email being sent.
  • The “minimum necessary” rule should always be followed, especially when sending ePHI or sensitive information.
  • HIPAA requires that ePHI remain secure both at rest and in transit – always email ePHI using an encryption software. The only time emails can go out with ePHI unencrypted is when the patient authorizes an unsecured email sent to them, with a signed consent from the patient.
  • Business emails only and the policy forbids sending anything discriminatory; no illegal activity will be tolerated and copyrights must be respected.
  • Always proofread an email before sending. When sending “To” a recipient they will most likely need to take action, whereas someone who is cc’d needs only the information. Be sure this is how your emails are being sent.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT. can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.

Leave a Comment