Common Email Complaints and HIPAA-Compliance Confusion

Molly PereiraFeatured News

By Robert McDermott
From the Fall 2020 Journal of the Colorado Dental Association

Cloud-based, secure email has many benefits, especially high-security, high-compliance, and high-functionality. But buyer beware: not all HIPAA-compliant email services are created equal.

Many services show you something that looks great on the surface but lacks the infrastructure to truly improve your business. Many cloud-services claim to be HIPAA-compliant, but an unsettling number of services may only loosely meet federal law—and that’s where you need to be careful.

See if any of the following common complaints and statements resonate with you. It’s never too late to ask questions of your current email service provider and make changes if needed.

  1. “It’s a free service and it says its HIPAA compliant.”

Many email services offer low or no cost service and claim compliance. But, many of these services only provide encryption as protection at the “free” level. Encryption is critical because it makes it harder to open a message traveling across the internet if a cybercriminal intercepts it. However, encryption alone doesn’t cut it, it’s just one of the requirements for compliance. Six specific federal requirements must be met. In addition to encryption, check to see if your email service:

  • Authenticates recipients using the DIRECT protocol
  • Controls access with auto logoffs + more
  • Transmits securely at 2048-bit encryption
  • Keeps copies of unaltered records, storing your files in highly secure, private server centers to prevent tampering
  • Provides an audit trail for every message so you can produce this immediately if audited
  • Securely stores your Electronic Protected Health Information (ePHI) for six years to prevent loss, theft, or damage
  1. “I thought spam was just annoying sales attempts, but my colleague was just hacked!”

Your colleague is not alone. Spam and phishing attacks are the primary ways cybercriminals target dental practices. The most secure cloud-based service will be built on the DIRECT Protocol, the federal government’s preferred standard for exchanging ePHI. This standard verifies that the sender is a nationally registered healthcare provider. DIRECT Protocol ensures that your PHI-relevant inbox contains messages only from verified providers or others with your permission. Stopping the criminals at the front door is far more effective than trying to neutralize them once they’re already inside.

  1. “I can’t attach this large imaging file!”

Everyone has gotten the “ERROR” message telling them that their attachment is too big. The right email service won’t restrict you to a certain size or number of files allowed in an attachment. Be sure to talk with your cloud service to make sure it offers flexible service without file size limits at no additional cost.

  1. “I spend a lot of time logging in and out of various windows.”

To speed up your workflow, look for a cloud-based service that integrates your regular email—Gmail, Outlook, Yahoo, etc.—into the same interface as your HIPAA-compliant email. That means one login shows you all email options. You should also be able to add that functionality into a robust cloud-based practice management system and completely say goodbye to window hopping.

It is worth taking a few minutes to evaluate the effectiveness and compliance level of your “secure” email. The simple change to an efficient, truly compliant email service can speed up your workflow, reduce stress and save money.

Robert McDermott is the president and CEO of iCoreConnect. You can visit for special member pricing or contact 888-810-7706.