What Is It About MailHippo That Makes It a HIPAA-Compliant Email Platform?

Person typing on a laptop

Better question: What makes any secure email messaging service HIPAA-compliant?

This question is well-addressed by looking at the HIPAA Security Rule, initially enacted by Congress in 2003 and further enhanced as part of the HITECH Act of 2009. The law states that ePHI (electronic protected health information) must be safeguarded in several ways to ensure the integrity, security, and confidentiality of patient health records. (More information on the Security Rule may be found here on the HHS.gov website.)

1

Electronic protected health information (ePHI) must be physically secured.

Either by means of a lock and key or another physical mechanism, ePHI may only be physically accessed by authorized personnel. This means that physical safeguards must be in place to prevent unauthorized physical access to patient health records—no matter what happens.

MailHippo uses industry-best HIPAA, PCI DSS, VISA, SSAE 16, and SOC 2 compliant state-of-the-art data centers to house our servers, which host the MailHippo platform. We do not farm out our hosting to 3rd parties like RackSpace, Amazon Web Services, or Microsoft Azure. All MailHippo server equipment is owned, operated, and maintained by the MailHippo team. This means NO unauthorized third parties have access to this equipment or the ePHI data it houses. (You can find out more about MailHippo’s data center here.)

2

The Security Rule states that ePHI must be electronically safeguarded.

HIPAA states electronic patient health records must be secured by passwords and other means necessary to prevent unauthorized access. The rule does not explicitly state that emails and other records must be encrypted. However, it states that ePHI must be secured in a manner to prevent electronic access, which implies encryption of these records as a necessity.

MailHippo uses the latest encryption technology, ensuring the email body and attachments are encrypted while in transit and at rest. Learn more about MailHippo security and encryption here.

3

Access to ePHI must be logged.

According to HIPAA email rules, any time a user opens and reads an email or email attachment, this action must be recorded to remain compliant. The information must include the date, time, and who accessed the message.

MailHippo is designed to track all access to messages, including the authorized user, time, date, and exactly what records they accessed.

4

The Security Rule requires that ePHI is safeguarded from intentional or unintentional destruction.

Implicitly, there must be at least two copies of an electronic patient health record—one located on-site and one off-site. All this is to ensure the integrity of the records in the event of a loss.

MailHippo implements a robust backup solution that safeguards the HIPAA-compliant MailHippo platform securely both on-site at our data center and off-site to a secure remote location. This system ensures data integrity and business continuity of the MailHippo platform.

5

Business Associates (MailHippo) must have in place proper HIPAA policies and procedures.

For example, these procedures may address what actions are necessary in the event of a data breach or unauthorized access to ePHI records to remain HIPAA-compliant. Furthermore, they can indicate what training the staff is required to complete and which they have already completed, as well as other items.

With decades of Healthcare Information Technology experience, the MailHippo team has in place—and fully implements—HIPAA policies and procedures in order to be a HIPAA-compliant platform. MailHippo has earned Compliancy Group’s HIPAA Seal of Compliance

6

A Business Associate Agreement (BAA) must be in place.

The Security Rule requires that a Business Associate Agreement (BAA) is executed between the covered entity (you) and the information technology service provider (MailHippo). This agreement is there to ensure that both parties understand what the requirements of the HIPAA Security Rule are and that both agree to enforce those rules and remain compliant.

MailHippo issues a Business Associate Agreement as part of our registration process. This ensures that every healthcare provider subscribing to our HIPAA-compliant platform has a valid BAA agreement in place.

So with all of this information about HIPAA under your belt, we encourage you to explore the answers to “What is HIPAA-compliant email?” and “What are the HIPAA email rules?” available on the market today. Look and ask questions. Reach out to the MailHippo team with your inquiries here.

We hope these points assist you in understanding what is required of your organization as it relates to patient privacy, and that you choose MailHippo for your HIPAA-compliant email needs.