3 min read

Avoiding a HIPAA breach when emailing patient payment information

Avoiding a HIPAA breach when emailing patient payment information

Healthcare organizations can avoid a HIPAA breach when emailing patient payment information by using encrypted email services, securing business associate agreements (BAAs) with email providers, limiting the amount of payment data shared, and obtaining patient consent. Additionally, staff should be trained on email security, sensitive attachments should be avoided, and organizations should regularly audit and delete emails containing payment information to ensure HIPAA compliance and protect patient privacy.

 

HIPAA and patient payment information

HIPAA’s rules apply to any protected health information (PHI), including payment information linked to healthcare services. The Privacy Rule ensures that any individually identifiable health information, including financial details like credit card numbers, is safeguarded. Additionally, the Security Rule sets the standards for protecting electronic PHI, including payment information transmitted through email.

Healthcare providers often use third-party services for email and payment processing, requiring BAAs to be in place. These agreements legally bind vendors to follow HIPAA regulations, ensuring they apply the same level of protection to PHI as covered entities.

Related: Rules for HIPAA compliant email communications

 

Risks of emailing patient payment information

Healthcare billing requires that healthcare organizations share sensitive patient information, comprising codes for bill processing, charges and expenses incurred by patients, and information regarding insurance coverage. Cybercriminals target this information, as seen with the Change Healthcare cyberattack, which shut down more than 100 healthcare-related operations, including those related to pharmacy, medical records, clinical, dental, patient engagement, and payment services.

Common risks of emailing patient payment information include unauthorized access to unencrypted emails, accidentally sending emails to incorrect recipients, and exposure to phishing attacks. In these scenarios, if payment information is disclosed improperly, it can be considered a HIPAA breach. 

 

Best practices to avoid a HIPAA breach

Use encrypted email services

Encryption is necessary when emailing any PHI, including payment information. Encrypting emails ensures that if unauthorized parties intercept them, the content remains unreadable. When selecting a HIPAA compliant email provider, choose one like Paubox that offers encryption and complies with all the HIPAA requirements for PHI protection. 

Paubox ensures HIPAA compliant email by providing seamless encryption for all outgoing emails, requiring no extra steps from users or recipients. With Paubox Email Suite, every email is automatically encrypted, integrating smoothly with existing platforms like G Suite and Office 365. This eliminates the risk of human error in selecting encryption options. Advanced security measures, including two-factor authentication and inbound threat protection, safeguard against scams, viruses, and phishing attacks. 

Read more: Features to look for in a HIPAA compliant email service provider

 

Secure business associate agreements (BAAs)

A BAA is legally required between any healthcare entity and a third-party vendor handling PHI, including email providers and payment processors. This agreement outlines how the vendor will protect the data in compliance with HIPAA regulations. Ensure your email provider has signed a BAA and is committed to meeting HIPAA standards before sending payment information.

Related: The consequences of not having a BAA with an email service provider

 

Limit payment information in emails

The HIPAA Minimum Necessary Rule requires covered entities to limit the amount of information shared to the minimum required to complete the task. When emailing payment information, avoid including sensitive details such as full credit card numbers or banking information. Instead, share transaction IDs or confirmation numbers, which still provide relevant payment data without exposing vulnerable information.

 

Obtain patient consent for email communication

Patients should be informed about the risks of sending payment information via email, and their explicit consent must be obtained before using email to share this data. This ensures transparency and provides legal protection in case any issues arise. Confirm that patients know how their payment information will be transmitted and secured.

 

Avoid attachments with sensitive payment information

Sending sensitive payment information as attachments, such as invoices containing credit card numbers, increases the risk of exposure. If attachments must be sent, ensure they are encrypted and password-protected. However, it’s best to avoid including sensitive details in attachments and share only the necessary information.

 

Ensure strong access controls

Control who has access to emails containing payment information. Implementing role-based access ensures that only authorized personnel can send or view sensitive data. Additionally, healthcare providers should use strong passwords and multi-factor authentication (MFA) to secure email accounts, reducing the risk of unauthorized access.

 

Train staff on email security and payment information

Regular staff training can help prevent mistakes like sending payment information to the wrong recipient or falling for phishing scams. Training should cover secure email practices, recognizing phishing attempts, and following HIPAA guidelines when handling sensitive data.

 

Monitor and audit email activity

Monitoring and auditing email activity helps detect potential HIPAA violations before they escalate into full breaches. Regular audits ensure that emails containing patient payment information are handled securely and provide an opportunity to identify and address any gaps in compliance.

 

Regularly delete emails containing payment information

Establish a policy for deleting emails with payment information once their purpose is complete. Proper storage and disposal of emails containing PHI help ensure that sensitive data is not accessible to unauthorized individuals or at risk of exposure.

 

FAQs

What should I do if I accidentally email payment information to the wrong recipient?

Immediately report the incident to your compliance officer, follow breach notification procedures, and assess whether any patient data was exposed to determine if further action is needed.

 

Can I forward an email containing patient payment information?

Forwarding emails containing payment information is risky unless it is with proper safeguards like encryption. Limit forwarding to necessary parties and ensure security measures are followed.

 

Can I use a free email service to send patient payment information?

Free email services are not inherently HIPAA compliant. Rather use a provider that offers a BAA and the necessary security features like encryption. Always verify compliance before using any email provider.