How to Set Up a HIPAA Compliant Email Server

Peyton Duplechien • 16 Sep 2021 • 4 min read

As a HIPAA compliant business service, medical practice, or medical administration office, you’ll need to ensure all of your communications are protecting your patient and client’s private health information (PHI). This information, when disclosed, can cause major harm to the patient or client. Additionally, a HIPAA violation can cause expensive penalties and fines up to $50,000 per violation
Consider how you can protect your clients, patients, and business by creating HIPAA-Compliant communication practices:

Do You Need to be HIPAA-Compliant?

Before getting started, ensure you need to be HIPAA-compliant. Are you only ever sending internal emails? Are you positive?
If there’s any chance of you sending out messages externally to anyone, you need to protect PHI and thus, need to be HIPAA-Compliant in your emails. 

Encrypting Your Emails

Even though emails may seem as easy as talking to someone face to face, just like talking face to face someone could be listening in. It’s not necessarily the most secure. 
To protect them, you need to encrypt your emails going out and in storage. This can be done by your IT team. If you do not have an in-house IT team to encrypt your emails, your organization can easily use a third-party email client.
Look up different HIPAA-Compliant email service providers to find one that will encrypt your emails. A quick google search will pull up multiple, but the process doesn’t stop there. As there are a multitude of options, it’s not a one-size-fits-all. You’ll need to ensure the new service fits what your business needs. 

Cloud-Based Email and Business Associate Agreement (BAA)

Using a cloud-based email client is all the rage right now, and a majority of these cloud-based companies have raised flags in the past for healthcare companies seeking protection for PHI.
Luckily, other primary companies like Microsoft Office 365 have turned a focus to providing a secure environment for patient’s PHI. 
Using Microsoft as an example, prior to a company establishing a HIPAA-compliant server, they require a Business Associate Agreement (BAA). This BAA is a contract between your HIPAA-bound organization and any business you associate with. VoiceNation, a HIPAA-compliant answering service, uses Microsoft reliably. 
Your next step will be to confirm your needs with your chosen provider and ensure the language meets what your business requires. Some companies will not modify their BAA without request. Once this is in place, you’ll want to make sure the email is configured and encrypted. 

Check Your Provider’s Compliance Center

Each provider’s compliance should align with the recommendations given by the U.S. Department of Health and Human Services
From there, you should be able to easily access the email server’s compliance center or documentation, showing you, the customer, how to use the system to maintain your organization’s compliance. You might look for details like:

  • Storage time of emails, every state and region could differ slightly
  • How to configure your setup to what your organization requires

Note – different licenses may be required based on the different types of requirements your organization or practice needs to stay compliant. 

How to Confirm Your Compliance 

This is where a compliance team can come into play to ensure your organization or practice is keeping the PHI safe. Having someone who’s qualified to read through the fine print and ask the nitty-gritty questions can save you big headaches and mess-ups in the future. 
Whenever above we’ve mentioned checking the language or the requirements, this team can check the boxes you need to stay protected. Conduct research on different teams or build one of your own internally. Double-check to confirm that they are HIPAA-Compliant before bringing them on board. 
You’ll be glad you’ve recruited someone to help answer the professional questions after you lay the groundwork. 

Set Up a Consent Process 

Based on the types of emails you’re sending, you may need to obtain consent from your clients or patients. Work with your new compliance team to arrange a set of forms or notices that may need to be distributed both internally and externally. 

Train Your Staff and Set Policies

Now that you’ve got the software and a compliance team, it’s time to train your staff. 
They need to learn the ins and outs of compliance, how they play an active role, and how to report any infractions. Your staff is on your side, and they can actively protect you and your client’s information. 
Rely on your internal or external compliance team to keep your staff up to date on any changes, updates, or renewal training. 

Ensure All Communications are HIPAA Compliant

Now that you’ve got your email squared away, what about your other communication tools? 
Are your calls protected? 
Using a HIPAA-Compliant live answering service, like VoiceNation, will keep your phones answered and your communications secure. VoiceNation provides regular HIPAA-Compliance through its virtual receptionists by providing thorough training, set standards, and an internal and external compliance team. Plus, with VoiceNation, your practice will be available when your patients need you most. 
Are your patient and physician texts and instant messages safe? Through a product like TigerConnect, you can provide safe, quick, and efficient communications between physicians, patients to physicians, and administrators. 
VoiceNation is proud to partner with TigerConnect to equip medical practices and healthcare organizations with safe and compliant communications. 
Interested in keeping your communications running 24/7 and HIPAA-compliant? Reach out to an expert at VoiceNation today to see what plan fits your business.