It’s so common now that you might barely notice it: The paragraph of text at the end of a healthcare provider’s email signature, explaining that the message is private and may include protected health information (PHI).
Many of us, myself included, started using these HIPAA disclaimers after seeing that a lot of our colleagues were doing so. It was a common enough practice that it seemed to be a new standard, and it was easy enough for us to implement.
But these disclaimers alone don’t ensure you’re sending HIPAA-compliant emails. There’s little evidence that these disclaimers will protect you or your practice in the event of an email-related breach—and they could actually make the breach worse.
To make sure you’re truly sending HIPAA-compliant, secure emails, there are a couple things you can do to make sure you’re protecting your practice and your clients’ data.
The Problem with Disclaimers
Not only are disclaimers not enough on their own to ensure HIPAA-compliant, secure email, they can actually make a data breach worse. As one law firm specializing in information technology pointed out, poorly-phrased email disclaimers can cause confusion. Unintended recipients of private data may unwittingly recirculate PHI when they try to follow the disclaimer’s instructions.
For instance, if your disclaimer asks anyone who isn’t the intended recipient to reply to the email, each person who does so may be retransmitting the PHI. And if they mistakenly reply-all on a group message, they’ve inadvertently created multiple additional copies of the PHI that they were trying to address responsibly.
In this situation, unintended recipients aren’t forwarding PHI with any malicious intent, but everyone has accidentally hit reply-all on an email they shouldn’t have. To avoid a never-ending email chain of private data, that same law firm recommends that if you do include response instructions in a HIPAA disclaimer, make sure those instructions direct recipients to contact you by phone to inform you of the error. Then instruct recipients to simply delete the message and any attachments. This addresses the breach promptly while avoiding the recirculation of PHI.
What’s Actually Required for HIPAA-Compliant, Secure Email?
This question is more complicated than you might expect. While the Security Rule doesn’t expressly prohibit using email (even unsecured email, if the client requests it) to send PHI, email does generally present some risks. Most email systems aren’t encrypted, and it can be difficult to know whether the information actually went to the intended recipient.
But an email footer alone is no replacement for a thoughtful, holistic set of policies and practices designed to protect private health information. At the end of the day, that’s what HIPAA requires of you. Neither HIPAA itself nor the regulations that the Department of Health and Human Services has issued specifically mention email disclaimers.
Different practices and organizations have different needs when it comes to the protection of PHI, and while email disclaimers may be one component of your overall data protection strategy, it doesn’t suffice as the only component.
If you are going to use email to communicate with clients or other providers, it makes logical sense to include cautionary notes—like a disclaimer—as part of a comprehensive privacy strategy. If you’re hesitant about sending PHI over email, a secure messaging software may be a better option for messages that include that kind of information.
An email footer alone is no replacement for a thoughtful, holistic set of policies and practices designed to protect private health information.
Tools to Help You Send HIPAA-Compliant, Secure Email
As was mentioned above, HIPAA doesn’t have specific requirements for what’s considered compliant technology—the Security rule allows you as a covered entity to use any security measures that you deem reasonable and appropriate to uphold security standards.
That said, they do have some guidance and questions to ask yourself before you start using a software or product to help you determine if it’s reasonable and appropriate. An encrypted secure messaging platform is a good option for sending quick messages that contain PHI to clients or to coworkers in a secure way.
But if you need the functionality of email, there are encrypted options you can use. Services like Hushmail for Healthcare, GSuite, and Virtru allow you to send HIPAA-compliant, secure emails at a variety of price points, so you can find one that fits your practice’s budget while still protecting your client’s data.
If you’re doing everything that HIPAA requires of covered entities—like performing a regular security audit to examine your risks, training your staff, minimizing where PHI is shared, and ensuring your clients have the knowledge and control they need to control such sharing—then you might find that an email disclaimer isn’t relevant to your practice. But you also might find that it’s appropriate as one of several layers of protection against an email-related breach.
Ultimately, every practice is different, and you’ll need to carefully consider the specifics of yours before implementing a strategy to make sure you’re sending HIPAA-compliant, secure emails. If you have specific questions or concerns, consult with an attorney.
Indeed, that’s the whole point: A HIPAA review is designed to determine what safeguards are necessary given the specific and unique framework of your practice. Simply doing what someone else does because someone else does it may not be enough to secure client data in your practice. And it may not qualify as HIPAA compliance—no matter what you put at the bottom of your email.