Although healthcare is seemingly one of the only industries left using fax machines, email is used by everyone. This includes patients, referring healthcare providers, and other organizations in the healthcare industry, making email the most unifying way to communicate. But the problem is how do you secure that email? The Health Insurance Portability and Accountability Act (HIPAA) allows healthcare providers to send email with protected health information (PHI) as long as it's HIPAA compliant. So the issue becomes how do you choose which HIPAA compliant email service provider to use? We put together this quick checklist so you can make the best decision for your healthcare organization.
- Is it really HIPAA compliant?
- How easy is it to use?
- Does it integrate with your existing IT setup?
- Does it require new workflows?
- How is customer support?
- Are there hidden costs?
1. Is it really HIPAA compliant?
This may seem obvious, but the reality is there is no one certification that designates a HIPAA compliance for a secure email solution. But there are a couple of good measuring sticks to make sure HIPAA requirements are met. The first is making sure the company provides a Business Associate Agreement (BAA). This contract outlines provisions a company must follow as a business associate for a covered entity. If the company won't sign a BAA, then that's a red flag. Another way to tell how seriously an email provider takes compliance and security, is to see if they have any third-party certifications by reputable organizations. For example, Paubox has gone the extra step of getting our solutions HITRUST CSF certified. HITRUST is the gold-standard in healthcare and demonstrates that our solutions have met key regulatory requirements and industry-defined requirements and is appropriately managing risk. It is also one of the only certifications where the certifying body is NOT the one who does the audit. Instead another certified independent auditor is required in order to pass.
2. How easy is it to use?
Once you have filtered out any companies that don't sign BAA's or haven't met your standards for certification, the next step is to understand how they encrypt your email to make sure it's secure. This is so you can find the solution that is the easiest to use for both your staff and the recipients of your email. Ease of use is more important than you think, because a difficult to use secure email solution can lead to issues such as:
- Staff, both intentionally and unintentionally, sending PHI without email encryption
- Time needed to create processes and train staff on how to use the system
- IT support for issues from both staff and email recipients
The easier your HIPAA compliant email service is to use, the better. Many providers like NeoCertified require a portal for users to login to in order to send, receive, and read secure email. The problem with many portal providers is the recipient is also required to create a login to read secure messages. This can be an extremely cumbersome process, especially for those who receive infrequent emails and don't remember login information.
One step better are providers who make it easier to send email, like Virtru, which allows users to send a secure email by pressing a specific button when sending. The only problem with this, is that staff must be trained carefully to insure that every email sent with PHI is secure, since they have to make a decision for each email and encryption is not automatic.
Virtru also still requires portals for recipients who are not also using their platform. Paubox uses a patented process to make secure email work like regular email. Instead of portals, extra buttons, and plugins, senders can just write and send emails as normal. Recipients can also receive emails as normal, making the whole process seamless.
Regardless of what method is used, you also want to check and see if the solution works across multiple mobile devices. This is not just for your staff, but also your recipients. Having a mobile friendly secure email solution they can check on their iPhone without needing to download a mobile app is a huge win. You can see a demo video of exactly how Paubox works here.
3. Does it integrate with your existing IT setup?
Just as you want your HIPAA compliant email solution to be easy to use, you also want it to be easy to setup. The good news is most of the leading providers do have integrations for the most used business email platforms like:
- Microsoft Outlook (with Microsoft 365)
- Microsoft Exchange
- Google Workspace Gmail from Google
The only thing to watch out for is if the solution only needs to be setup once in the backend by your IT department, like Paubox, or if it requires each user to also download and install a plugin to use with their email account. Managing who has access and providing training can be more difficult with the plug-in option, especially with staff turnover.
4. Does it require new workflows?
Remember when we were looking at how easy your HIPAA compliant email provider was to use? This is where it becomes extremely important. That's because HIPAA compliance goes far beyond just the software, you also need the right processes in place to make sure staff is properly trained. This includes items such as:
- Who is authorized to send PHI
- When is it ok to send PHI
- How are access controls managed
- Is there regular training required
Depending on which provider you choose, you may need to change your workflows to make sure the "people" part of compliance is also maintained - especially the training and documentation of policies and procedures.
5. How is customer support?
There is nothing worse than spending time evaluating different products, only to be "stuck" with bad support after you get started. Most companies are great at getting you setup, but fail once that is done. This is where online reviews come in handy. You can read through reviews about encrypted email providers on independent sites like G2 Crowd, and find out how their customer support is doing. Also keep in mind, 24/7 support is nice in theory, but that doesn't mean anything if they're unresponsive.
6. Are there hidden costs?
You could almost call this section, is it hard to understand pricing. The biggest thing when asking for a quote, is to make sure you have things itemized out. You don't want to think you're signing up at one price, only to find out there is also a set-up fee, charge for the BAA, and other items you didn't know about.
Taking the time to make an informed decision on who is the best HIPAA compliant email provider for your organization in the beginning can save you a lot of time and headaches in the end. All companies take email security seriously, so the actual encryption is often a moot point. The biggest takeaway is don't just be focused on price, but also be sure to consider the whole user experience and what you think works best for your organization. You can give Paubox a "test run" with a free 14-day trial by clicking below.