in HIPAA Headlines by John Brewer

Remember that TV show Eight is Enough?

Ah those were the days.

Life was simple; there were only 3 TV channels.

The internet…wasn’t.

The Atari 2600 might have existed at this point, I really don’t remember.  Pong was definitely around.

Today things are drastically different

With the government pushing medical practices to go electronic, there are a whole slew of requirements that are popping up.

I can hear the grumbling now:

  • “This doesn’t make any sense”
  •  “Why would they ever require that?”
  • “This is the dumbest thing ever”
  • “I hate HIPAA”

Yes, I’ve heard them all…and there are plenty others that are not fit for print.

The reality is this: if you put your hand out to receive money from the government…then you have to play by their rules…no matter how idiotic they may seem.

The sooner you accept that, the sooner your heart burn will cease and you can move on to some other item that is bugging you.

Back to email

For a long time it was realistic for a medical office to have just one email.

Usually it would be a free email (Yahoo!, AOL, MSN, Gmail) like or the office may actually have their own domain name so it might be

Either way, every person in the office used this email address for official business AND everyone in the office had access to this email address.

Again, this used to be an OK way of operating.

Times have changed

Sharing an email address is no longer acceptable.

Office staff may have access to multiple systems that require a log-in, like insurance company websites, the office EHR, and even the Meaningful Use Attestation website.

When a username and password are assigned by one of these systems, they are typically emailed to the user.

When a password is forgotten, the reminder or replacement is typically emailed to the registered user’s email address.

If the office shares one email address then there is a major security breakdown as all users will have access to other’s username/password.

[HIPAA Requirement]

HIPAA requires each user to have a “Unique user identification”.

This means there can not be a shared user account.

This means nobody else in the office should know your password.

This means, if your office has one email address that everyone uses, you are not living up to this requirement.

Yes, but I want a list…

As office manager, you feel you should have a copy of everyone’s username and password…right?

This way you will stay in control…right?

Not good.

This creates a liability issue.

The proper way to handle this is, if the office manager needs to access somebody’s email, the IT admin will reset the password to something they know.

Doing this creates a very formal process, which you want, again for liability management.

Joan has left

When an employee leaves, there are some steps your office should take when it comes to that person’s email address (this should be part of your employee termination checklist).

Some of those steps include:

  • Reset the user’s password to prevent further access to their account…by them,
  • Set that email account to forward to an appropriate person, like the office manager, to ensure no important business emails are missed.

What about “free” email accounts?

This is not exactly wrong, but it does look unprofessional and there is reduced control by the office.

The proper way to set this up is to purchase a web address (know as a domain or URL), then setup email addresses for each staff member in the office.

With this you need to make sure you have a clear office policy on how this email address can be used.

Also be clear about this: assume all email is UNsecure!

Yes, most EHR’s are starting to include a secure messaging system, but this is not email as you know it.

To quickly recap:

  • Do not share email addresses.
  • Do not share usernames.
  • Do not share passwords.
  • Email is a UNsecure method of communication as it pertains to PHI.
John Brewer is founder of Med Tech USA, LLC, a technology company specializing in all things HIPAA.  John has been involved with HIPAA compliance for over 5 years and deals specifically with private medical practices with the goal of getting a practice  HIPAA compliant quickly and easily.

About John Brewer

This author hasn't yet written their biography.
Still we are proud John Brewer contributed 177 great entries.

0 thoughts on “One eMail is Not Enough

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *