
Is this HIPAA compliant?
Can we get a BAA signed to be HIPAA compliant?
Chosen solution
Is unencrypted email HIPAA compliant. Of course not.
Is s/mime or PGP encrypted email HIPAA complaint, probably. But compliance is about a holistic approach to data, not finding bits of a jigsaw and putting them together and going. "We are complaint"
Unfortunately I have witnessed many discussions about HIPPA compliance over the last 10 years between consultants, and all I can say is most organizations that say they are complaint are not because their staff simply do not get confidentiality or security. It matter not a hoot if you have all the certificates in the world, if you have an idiot that sticks the username and password for access to patient data on a post-it on the side of the MRT machine.
The short answer here is email clients like Thunderbird and Outlook can be HIPPA compliant, but they are not in their default configuration and most probably never will be while skill assessment does not include the competent use of IT.
I suggest you have a look here https://blog.udemy.com/hipaa-compliant-email/ and with that knowledge pay for encryption certificates for the relevant staff and have them installed by a competent professional, or contact one of the providers on the link to provide the service you apparently desire. I would go with the second one, because I have yet to manage to convince a practice managers that bringing in their own printer, and unplugging the mail server to boil the kettle are not good ideas. SO you need a third part encrypted mail provider who will make you pay fairly dearly for their expertise to be sure you maintain your compliance.
Read this answer in context 👍 0All Replies (1)
Chosen Solution
Is unencrypted email HIPAA compliant. Of course not.
Is s/mime or PGP encrypted email HIPAA complaint, probably. But compliance is about a holistic approach to data, not finding bits of a jigsaw and putting them together and going. "We are complaint"
Unfortunately I have witnessed many discussions about HIPPA compliance over the last 10 years between consultants, and all I can say is most organizations that say they are complaint are not because their staff simply do not get confidentiality or security. It matter not a hoot if you have all the certificates in the world, if you have an idiot that sticks the username and password for access to patient data on a post-it on the side of the MRT machine.
The short answer here is email clients like Thunderbird and Outlook can be HIPPA compliant, but they are not in their default configuration and most probably never will be while skill assessment does not include the competent use of IT.
I suggest you have a look here https://blog.udemy.com/hipaa-compliant-email/ and with that knowledge pay for encryption certificates for the relevant staff and have them installed by a competent professional, or contact one of the providers on the link to provide the service you apparently desire. I would go with the second one, because I have yet to manage to convince a practice managers that bringing in their own printer, and unplugging the mail server to boil the kettle are not good ideas. SO you need a third part encrypted mail provider who will make you pay fairly dearly for their expertise to be sure you maintain your compliance.