#TechTuesday: Is it Safe to Send? – Protecting Your Emails
It feels like I’ve been harping on security here lately. So why stop now?
The staff in our office deals with all kinds of information coming in and out from all different types of sources. However, the source I want to focus on today is email. Email is great! It allows us to quickly send text, links, images, and files almost instantly. We send and receive email on our computers, laptops, tablets, cell phones, and even our watches! Email has become such a “normal” thing we just adopt it into how we do business taking the whole process for granted. And taking it all for granted isn’t a big deal if we are talking about getting a new promo code from an online retailer or a notification that your friend posted something new on social media. But when we start talking about personal information and those dreaded 5 letters: H-I-P-A-A it is a big deal.
Just yesterday I received an email like this:
My client, (CLIENT’S NAME) needs a Med Supp and a Part D Plan. She was born on (DATE OF BIRTH) and she has (MEDICAL CONDITION). (INSERT LIST OF ALL HER MEDICATIONS)
She got Medicare Part A on ##/##/#### and Medicare Part B on ##/##/####, and was covered under a group plan until ##/##/#### She was told she would still be able to get a policy without having to go through underwriting. Is that correct? Also can you get me a list of some competitive Med Supps and Part D plans for her?
Please call me if you have any questions or if you need more information.
Here’s the issue, while this email itself gave me all the information I needed in order to research some plan info it also contained HIPAA protected information. This includes the client’s name, date of birth, and a long detailed list of her medical conditions and prescriptions. Additionally, on the same day I received another email that included a PDF copy of a completed application with “someone else” copied on it. There are two problems with this, one: who’s that other person? Maybe it’s the client? Maybe it was supposed to be the client but the sender accidently auto filled the wrong email address. Two: the application is more than likely filled with a ton of HIPAA protected information, not to mention other sensitive information like bank account numbers, or social security numbers.
There’s no need to panic, there are solutions!
I’m not saying we need to shut everything down, we just need to be a little more careful of how we’re going about our business. There are little extra steps, that at first will feel like a giant pain, but is really what’s in your client’s, and your business’s, best interest.
Here’s some quick, effective, and easy to implement solutions
Here’s the easiest thing you can do:
Do not click send. First and foremost, double check the address you’re going to be sending your email to and make sure it’s correct. This is one of those things that I think we all get out of the habit of doing pretty quickly. It’s also a good idea to make sure there aren’t any extra people copied on an email if you are replying to an ongoing conversation.
Pick one or the other
After you’ve double checked where your email is going, reread the message itself. If your email contains a client’s name AND medical info then start deleting! Take a look at the example email I provided for you. The agent included BOTH personal identification information and medical information, causing a HIPPA violation. So when you reread your email ask yourself which is more important – My client’s name being included? Or my client’s medical information being included? In this example the client’s date of birth, Part A and B effective dates, and Prescription Drugs were pretty important information for me to use in comparing plans. But it didn’t matter at all what the client’s name was. Even without including the client’s name, your internal (and secure notes) will help you match things up without sending everything in the same email.
Lock it up
That completed application you’re about to email, why not put a password on it? Each program is different, but do a quick Google Search for “adding a password to files in [insert name of program you are using]”. Then send that password protected file over. The file itself is useless to anyone who doesn’t have the password. Just make sure you send a separate email (not the same as the one with the file) that includes the file password, or give the recipient a call with the password. We work with an agency that does this regularly and it’s a lot easier for all of us than it sounds. Plus it protects their client’s personal information, keeps them HIPAA compliant, and it’s all done at no additional cost to them.
Or just go all in:
Start sending your sensitive email “secure.” There are a ton of online solutions out there that you can sign up for to send secure emails. The difference between secure email and “regular” email is encryption. Basically once you click send your email message is scrambled. Only the proper recipient is able to decode the original message. Think of it as putting your letter in a “digital” security envelope versus sending a postcard through the mail. If you’ve been working with our office chance are you’ve received a secure email from us through a company called SendInc. They offer plans that are free and are pretty easy to use. And even their “free level” product delivers emails that stay HIPAA compliant.
If nothing else, I hope this blog post causes you to stop and think about the emails you are sending out and how they are being received. I’ve said this before, any steps in the right direction are better than no steps at all. If you have any questions about what you should and shouldn’t email, or how you should email feel free to give our office a call. We’d be more than happy to talk it out with you.