Hushmail is a popular email platform used by healthcare providers. But is Hushmail HIPAA compliant? The answer is discussed below.
For a software to be considered HIPAA compliant , there are certain security features that must be in place. These features must ensure the confidentiality, integrity, and availability of protected health information (PHI).
Hushmail for Healthcare offers the following security measures:
Encryption. Hushmail offers encryption services, which automatically encrypt emails that are sent between two Hushmail users. Encryption is also available for emails sent to recipients using other email services, but must be manually enabled by clicking a checkbox. Although Hushmail enables encryption, PHI should never be contained in an email subject line, as email subject lines cannot be encrypted.
Two-step Verification. When signing into a Hushmail account from an unrecognized device, users must enter a verification code in addition to their username and passphrase. The verification code is sent to the users phone, or an alternate email account, for increased security.
Access Management. Hushmail allows for users to be managed through their administration panel. Through the panel, administrators can set up, delete, and configure user accounts (only available to users that use their own domain).
Email Archiving. Keeps records of both sent and received emails by all users. This provides essential documentation in the case of a HIPAA audit .
Even when a software platform has all of the required security features to be HIPAA compliant, if they are unwilling or unable to sign a business associate agreement (BAA), the service cannot be considered HIPAA compliant. This is so, because under HIPAA, software providers that have the potential to access PHI, are considered business associates . Good news is, Hushmail is willing to sign a business associate agreement, so their service can be used in a HIPAA compliant manner.
So, is Hushmail HIPAA compliant? Yes, provided it is used properly. Users must ensure that the encryption box is checked on all messages sent to recipients using other email services. Hushmail users must also have a signed business associate agreement before they use the service in conjunction with PHI.
For more information on Hushmail for Healthcare, please click here .