Earlier this week, we received a question from a physician member regarding using a free email account for his practice. The doctor’s question was “Is it OK to list a free email on the website as a point of contact, or should I use a domain email?” By “free email account”, he meant something like Gmail, Yahoo, or even the retro-hip AOL. “Domain email” means “drterrific.com.”
Seems simple enough. Most people would answer without a second thought “domain email”. It looks more professional than a Gmail or Yahoo account, so it’s the logical choice, right?
Unfortunately, with the scant information given, there is no prudent answer.
Yes, a domain email is aesthetically more appealing and gives the impression of being more professional. But a domain email can be more secure or less secure than a free email provider, depending entirely on how it’s setup and used. So the fact that someone uses a domain email means absolutely nothing about the real security of their email service, much like using HTTPS on its own does not make your website secure.
Your domain email server could be self-hosted in your basement (cough, cough), it could be on a dedicated server in your office or at a colocation facility where physical and network access is highly restricted, or it could be spread out over several datacenters managed by a high-profile third party.
Thankfully, you can make any of these secure. You can also easily break the security of any of these designs by trying to do-it-yourself. We won’t go into the intricacies of how to setup a secure email server, but the basics are to restrict physical access, use strong passwords, encrypt sensitive data, use SSL/TLS for connections, restrict access to emails containing Personal Health Information (PHI) or Personally Identifiable Information (PII) to the minimum necessary, and ensure that the software is kept up to date. You get the picture. If any of this is not part of your day to day vocabulary, outsource to those who know the language.
The other major component is that if you are a covered entity or business associate (if you ever receive Personal Health Information and/or Personally Identifiable Information from other covered entities), you should have a Business Associate Agreement (BAA) with your email provider. This is commonplace for companies which are accustomed to working with the healthcare industry, and some third-party cloud email providers do this as well. For example, we can enter into BAAs with our members, and we have a BAA with our email provider. And Google paid professional accounts will sign BAAs with subscribers for email. Note carefully, this is Google paid accounts where you are writing a check to Google to handle your email.
Now that we’ve covered domain emails, let’s move on to free accounts.
Although there is a fair amount of gray area in a self-hosted or cloud email service using a domain name, using a free email service is very black and white. Don’t do it. It’s not compliant, and it puts your practice at serious risk. Providers like AOL and Yahoo! do not expect you to use their services for business, and especially not business where PHI/PII is involved. Their systems are not designed to handle that sort of risk and liability, and they will not sign a BAA with you to accept that liability. Back to Gmail. While Google paid accounts will include a signed BAA, free Gmail accounts do not. YOYO. You’re on your own.
Assuming you are entirely ignorant of the violation, the penalties for a breach are anywhere from $100 to $50,000 per violation, up to a maximum of $1.5 million. Even more frightening, HIPAA violations can come with jail time – anywhere from 1 year for an unknowing violation, and up to ten years for a violation motivated by personal gain or malicious reasons.
Not to mention the damage that the breach would do to your online reputation. Links on your Google page-one from .gov and newspaper sites regarding your violations will be outrageously expensive or impossible to suppress, and can haunt your otherwise pristine online reputation and practice for years.
That free email provider doesn’t seem so “free” anymore, does it?
Do yourself, your patients, and your practice a favor and ensure that your email systems are HIPAA and HITECH compliant. When it comes to being on the wrong side of the DHSS, an ounce of prevention is worth tons and tons of cure.
And if you’re thinking “Sure, I read about that in the news, but that won’t happen to me”, take a look at the this PDF which details reported breaches since 2005 and search for any names you know that you consider safe. Use Control + F and type in any company you want – AOL, Yahoo, Google, Chase, Goldman Sachs, … anything that suits your fancy.
Spoiler alert: the report is 170 pages long, contains at least one record for the businesses mentioned above, and has separate sections for government and military breaches.
At eMerit, we receive complex questions like this all the time from our members, and we are pretty good at providing a timely, meaningful, and actionable response. Sometimes these questions are only tangentially related to their membership with eMerit or Medical Justice, but we still receive and field these questions. Why? Because our members trust our opinions, and we are able to pull from a cache of experts to provide our members with solid guidance. That’s just one more way that eMerit is more than a online reputation management platform.