Have You Implemented Appropriate Safeguards to Protect Your Healthcare Organization Against Hefty Fines?
When it comes to HIPAA compliance, regulations are becoming stricter than ever before. Do you allow your staff members to send protected health information (PHI) via email? If so, it’s fundamental to ensure you’re taking precautions to safeguard PHI sent and received via email.
Outsource My IT specializes in serving healthcare organizations in New Jersey. We offer email security services to help you comply with HIPAA regulations while ensuring you’re able to provide the highest quality of care and confidentiality to your patients. To learn more, give us a call at (973) 638-2722 or send us an email at firstname.lastname@example.org.
While HIPAA regulations don’t necessarily prohibit healthcare organizations to send PHI via email or communicate via email with patients, HIPAA regulations do require appropriate safeguards in place to:
- Protect the integrity of PHI.
- Restrict access to PHI.
- Guard against unauthorized access to PHI.
As penalties for data breaches continue to evolve, fines are becoming larger and notification requirements are becoming more stringent; and as a result, your healthcare organization must ensure appropriate safeguards are in place prior to sending PHI via email. So what safeguards should be implemented? Here’s a few examples:
- Automatic log off: Your email accounts should be logged off automatically after a specified amount of time.
- Encryption: Your emails should be encrypted prior to sending & decrypted once received.
- Spam filtering: Your email accounts should be protected with a reliable spam filter solution to prevent viruses and malware.
- Email archiving: Your emails should be archived as part of the documentation necessary to prove compliance with regulations.
These safeguards will protect your healthcare organization against hefty fines resulting from email breach penalties. Now you’re probably wondering, “what are the penalties for unsecured emails?” There are 4 tiers of civil penalties, depending on the severity of the breach:
- Tier 1: If you’re able to prove that you were unaware of the need for a HIPAA compliant email service, HHS might give you a warning or a fine of $100 per email that contains PHI with a maximum of $25,000 per year.
- Tier 2: If you’re aware of the need for a HIPAA compliant email service; however, you’re using a non-compliant email service to send PHI, HHS will give you a fine of $1,000 per email that contains PHI with a maximum of $10,000 per year. HHS may also refer the case to the Department of Justice, wherein charges may be pressed against you or you’ll receive a fine of up to $50,000 and up to 1 year in prison.
- Tier 3: If you’re using a HIPAA compliant email service but you’re not following proper policies and procedures (also known as willful neglect), HHS will fine you $10,000 per email that contains PHI with a maximum of $100,000 per year. If you’re not willing to correct the situation, the case will be referred to the Department of Justice, wherein charges may be pressed against you or you’ll receive a fine of up to $100,000 and up to 5 years in prison.
- Tier 4: If you’ve experienced a breach before and failed to correct the situation after a warning from HHS, you’re willfully neglecting HIPAA compliance requirements. As a result, HHS will fine you $50,000 per email containing PHI with a maximum of $1.5 million per year. In addition, HHS may refer the case to the Department of Justice, wherein charges may be pressed against you or you’ll receive a fine of up to $250,000 and up to 10 years in prison.
Looking to utilize email for sending and receiving PHI? Outsource My IT can help you implement appropriate safeguards to prevent a costly data breach! To learn more, give us a call at (973) 638-2722 or send us an email at email@example.com.