HIPAA Email Disclaimers
What is HIPAA?
Enacted by the U.S. Congress in 1996, the Health Insurance Portability and Accountability Act (HIPAA) offers protection for millions of American workers by improving portability and continuity of health insurance coverage. It requires U.S. health care providers to have technical safeguards in place to protect personal health records, including audit controls, integrity controls and transmission security.
Penalties for HIPPA violations are severe as both civil and criminal penalties can be raised against a non-compliant individual or company. Typically, a breach that is classed as reasonable is liable for a $100 to $50,000 fine. However, fines for willful negligence cases can range from $1,000 to $50,000 with additional criminal charges. The maximum fine can be over $1.5 million per violation and up to 10 years potential jail time.
The need for a HIPAA-compliant email disclaimer
Email is still the preferred communication method for patients and healthcare practices across the U.S., which is unlikely to change in the future. The problem is that email as a channel is inherently insecure. Data is not encrypted by default, especially by popular email clients like Outlook and Gmail, and there is no way of telling if a receiver is actually the intended recipient.
Email communications are permitted under HIPAA regulations, but specific precautions must be made. Any electronic data has to be encrypted and patient consent must be obtained in order to use their information. At the same time, every email that you send must come with a HIPAA-compliant email disclaimer.
Why you might ask? A disclaimer is used to inform patients and recipients that information contained within an email may be Protected Health Information (PHI) and is not 100% secure. This means any recipient that chooses to reply with confidential information does so at their own risk. It also encourages people that should not be reading the message to forward it on to the correct party. This email disclaimer can also tell patients not to disclose personal information such as their date of birth or personal medical information. Basically, the disclaimer is designed to reduce your liability in the event that patient data is intercepted by unknown parties and used for nefarious purposes.
It is worth remembering that a HIPAA email disclaimer is designed only to inform and will not make your organization completely compliant with the law. HIPAA is designed to put patients first and foremost, so your disclaimer needs to inform recipients of the risks related to their correspondence.
Not sure what to put in your HIPAA email disclaimer? Check out these 4 great examples to give you some inspiration.
So how do I add a disclaimer?
If you run a small healthcare practice and your email needs are relatively simple, you can add a disclaimer directly into your email client. This can be done on an individual basis with little IT support.
Below are a couple of guides to get you started:
For larger practices, your IT team will be responsible for ensuring all messages have an appropriate HIPAA email disclaimer. However, this is often where issues arise. Disclaimers are notoriously difficult to manage on a large scale. Employees can still tamper with the messaging, important wording can be missed out, IT updates will take a considerable amount of time and, of course, there is the risk of legal action for non-compliance.
With Exclaimer email signature solutions, you never have to worry about an email leaving your organization without an appropriate HIPAA email disclaimer again. Whether your users are sending from a desktop or mobile device, Exclaimer ensures disclaimers are added to all of their emails, ensuring you are always HIPAA-compliant.
Tell me more