Healthcare Information Security


Enabling Providers to Use Truly HIPAA Compliant Email

Direct messaging is increasing in popularity, but how exactly does it tie into HIPAA compliant email and what should providers understand before implementing it?

Source: Thinkstock

As technology continues to evolve, healthcare organizations of all sizes are working to remain current in what they can offer to providers and patients while also keeping PHI secure. Covered entities now have various options of communication, and HIPAA compliant email is often a necessity.

However, healthcare organizations cannot assume that any form of email communication will in fact keep PHI secure and adhere to HIPAA regulations. Even third parties are not always exempt from HIPAA compliance as they communicate with healthcare organizations.

As Linda McReynolds, Esq. & Ronald Quirk, Esq. explained in a contribution, it is important to understand the difference between companies that offer a “mere conduit” service and an actual business associate.

“Entities that provide 'mere conduit' service are excluded from HIPAA liability,” McReynolds wrote. “The mere conduit exemption applies to telecom or information services that exclusively provide transmission or temporary storage of transmitted data incident to such transmission. This includes entities such as internet service providers (ISPs) and paging carriers.”

They key difference is the transient versus persistent nature of the opportunity to view the PHI.

“To qualify as a conduit, a service provider must ensure that PHI is only temporarily stored,” she explained. “It is irrelevant whether the service provider actually views the PHI.”

Healthcare organizations and business associates cannot assume that all forms of email are in fact HIPAA compliant email.

Healthcare institutions need to get serious about meeting their employees' needs and providing a secure, internal messaging platform

A study by Infinite Convergence Solutions, Inc. found that most healthcare organizations use secure messaging platforms that are not HIPAA compliant. However, the majority of respondents reported using email as their preferred channel of business communication, followed by mobile messaging and then voice calls. 

When asked why they preferred email, those surveyed said they would rather compose an email or make a phone call, they do not like that mobile messaging leaves no paper trail, and that they do not think it is as secure as email or phone calls.

“Healthcare institutions need to get serious about meeting their employees' needs and providing a secure, internal messaging platform that not only allows HIPAA compliance, but also replaces outdated communication systems, like pagers, in order to increase productivity and serve patients faster,” Infinite Convergence Solutions CEO Anurag Lal said in a statement.

With federal officials also working toward true interoperability, DirectTrust and its messaging options have taken on a larger role for secure email options.

DirectTrust is a non-profit trade alliance that facilitates secure HIE through the Direct Protocol and also forms secure HIE policies and standards. Furthermore, Direct also played a part in enabling the exchange of health information in federal healthcare initiatives such as the EHR Incentive Programs and Stage 2 Meaningful Use.

However, a common perception is that Direct only focuses on secure email. Why exactly should  providers consider implementing this as part of their larger HIPAA compliant messaging program? If a hospital wants to utilize secure BYOD options as well, is Direct messaging the right choice?

Dig Deeper:

Understanding HIPAA compliant secure messaging

In terms of secure messaging usage, that has increased 30 percent from 2013 to 2014, according to an Office of the National Coordinator for Health Information Technology (ONC) data brief. Half of surveyed physicians – 52 percent – said they exchanged secure messages in 2014.

Forty-two percent more physicians also said that they allowed patients the ability to view, download, or transmit access to their electronic health information.

The proportion of physicians who electronically shared health information with patients in 2013 and 2014.
The proportion of physicians who electronically shared health information with patients in 2013 and 2014.

Source: ONC

More patients are able to take advantage of secure messaging options as well, with a separate ONC data brief showing that 51 percent of hospitals in 2014 allowed their patients to send and receive secure messages. Furthermore, 10 percent of hospitals provided secure messaging options in 2013, while 64 percent of hospitals provided it last year.

The 2015 HIMSS HIE and Direct Messaging Survey also found that many healthcare originations support Direct messaging as the method choice for exchanging data. However, there were still challenges cited about incorporating structured data into the EHR.

Secure email, helping with transitions of care, ADT notifications, patient communication, and handling consult requests between physicians were the top reported uses of Direct messaging, according to the survey.

“Use of Direct to enable HIE has been a bumpy ride and while variability exists in the market, the message should be that HIE is growing, the market is maturing and we are all learning how to better collaborate with our community partners,” HIMSS Director of Informatics Mari Greenberger and Sean Kennedy, Director, HIE, Mass eHealth Institute, wrote in a blog post at the time of the survey’s release. “The inter-organizational exchange of information in support of improved patient care is challenging, but from the feedback in this survey ‘the cost is worth the benefit.’”

Approximately half of the survey respondents also said that the cost of using Direct is worth the benefit of information exchange. Three-quarters of respondents – 76 percent – also reported access to a provider directory, 64 percent said they can access internal providers from that directory from within their EHR.

In terms of HIPAA compliant secure messaging, the HIPAA Security Rule does not require specific technical solutions. However, it does state that healthcare organizations must determine reasonable and appropriate safeguards.

“It is important, and therefore required by the Security Rule, for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications; a covered entity may use any security measures that allow it to reasonably and appropriately do so,” the HHS HIPAA Security Series states.

For example, if a smaller provider does not utilize mobile devices, and does not have a BYOD policy in place, secure texting options might not be an applicable tool. Therefore, that provider does not need to worry about implementing mobile device management (MDM) options, device encryption, or remote wipe capability.

A larger hospital on the other hand may find that those technical safeguards are necessary to ensure PHI security while physicians and staff members use mobile devices.

Dig Deeper:

Seeing Direct as only secure email is ‘too narrow’ of a view

DirectTrust President & CEO David Kibbe, MD, MBA recently told that there is much more to Direct messaging than just secure email. While it is very easy to simply think of email as the primary use case, that is far too narrow of a description.

“But actually it's much broader than that,” Kibbe said maintained. “It's a transport protocol which has a lot more capability than simply to be used as a means of person-to-person communication. That's very valuable; that use case is very important. It creates a connection between two people that a fax doesn't do very well electronically.”

Information can also be transported via Direct from server to server, or from server to endpoint person.

“Health information exchanges all over the country use Direct exchange to send alerts to a medical practice when a patient whom the HIE has received an ADT message about has either been admitted to the hospital or is about to leave the hospital or the emergency room,” Added Kibbe.

Furthermore, it’s possible for devices to have Direct access to an endpoint and that any kind of could send the information contained in the device's output to a server, Kibbe said.

"It's a transport protocol which has a lot more capability than simply to be used as a means of person-to-person communication."

In the reverse HIE example, the CDC uses Direct messaging for receiving inbound cancer registry notifications from medical practices and hospitals to its repository, he explained. Essentially, an individual is sending a message to that repository where a server receives it. 

A study out of the Veterans Health Administration published in the beginning of 2016 showed that patients might be more willing to use Direct secure messaging, as patients with the Department of Veterans Affairs (VA) said they comfortable using Direct with their physicians.

Approximately 71 percent of the respondents said Direct secure messaging was “a safe and secure form of communication.”

“Some research suggests that patient concerns about data security may prevent the uptake of electronic health records; however, a majority of our respondents felt that secure messaging is a safe and secure form of communication,” the researchers wrote.

Study respondents also reported other benefits in Direct, including assistance in medication refills, appointment management, looking up test results, and asking health-related questions.

Researchers maintained that it could be an essential time to continue to implement more secure messaging options, citing data that said 40 percent of VA patients would support further improvements to secure direct messaging platforms.

“Finally, though the vast majority of participants were satisfied with the tool and reported intention to use secure messaging in the future, more than 40% reported that secure messaging tool could be improved to make it even more useful,” the researchers said. “This finding is timely and should be strongly considered as the VA continues efforts in redesigning and enhancing available electronic resources for their patients to support sustained use.”

As more organizations opt for Direct addresses, Kibbe explained that the incentive to use Direct for that kind of health data exchange increases as the financial incentives under MACRA begin to be felt by providers.

“The Comprehensive Primary Care Plus is a great example where there is a strong incentive on the part of the participants in those programs to move the data quickly and securely and electronically as opposed to slowly and by paper or fax,” Kibbe stated. “The workflow has to be accomplished quickly and Direct is a very, very good way to do it quickly.”

Additionally, the future of value-base care payment models will be increasing incentives for those providers to use Direct exchange as opposed to fax.

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...