OK, so you want to add a HIPAA email disclaimer. This means that you’re either a medical practice, an organization that serves the healthcare industry, or a business associate.
Regardless of what kind of company you are, you’ll need to do everything in your power to secure the protected health information (PHI) that you handle on a daily basis.
But you already knew this.
You also already stay in constant contact with your patients as a way to keep them engaged. This means reaching out to them by their preferred means of communication.
Well, one of the most popular ways to communicate with clients is by email. In fact, 93% of adult patients want email communications with their physician. That’s an overwhelming majority.
There’s only one big problem with using this form of communication, it’s not secure.
The data sent between the sender and recipient isn’t inherently encrypted among some of the most popular services.
If you happened to overlook that aspect and sent PHI through an unencrypted email provider, the Department of Health and Human Services (HHS) would determine that as a willful, negligent breach. In other words, you’d face a fine somewhere between $1,000 and $50,000 for something that you could’ve easily prevented.
So your patients want you to communicate to them via email but you could end up facing a massive fine that most smaller practices couldn’t recover from. Is it worth it?
Yes, communicating to your patients based on their preferences increases your engagement.
Let me explain a quick example to emphasize that point. Do you know someone who never checks their mail? I imagine that that person is a Millennial because 66% of people in that cohort don’t check their mail at least six days a week. That means that mail isn’t the preferred method of communication for Millennial patients. Thus, your efforts to communicate to through via a letter wouldn’t work.
OK, so does HIPAA allow the use of email? If it does, how do you ensure you and your workforce stay compliant?
Well, what if I told you that adding a simple HIPAA email disclaimer within the signature section of what you send could save you from facing massive fines?
Table of Contents
Why Do I need a HIPAA-Compliant Email Disclaimer?
Before we go any further I need to mention that adding a HIPAA email disclaimer to all of your electronic correspondence isn’t going to solve all of your compliance needs. Healthcare compliance is much more complicated than that.
However, this type of disclaimer does help boost your efforts in four main ways.
First, it acts as a simple reminder to your employees about HIPAA. Every time they send an email or receive one back in a chain they’ll see the company-wide footer explaining how important HIPAA compliance is to your organization. It’s a simple addition to your efforts towards boosting awareness for the most important law you have to abide by as a healthcare organization.
Second, it places a certain amount of responsibility in the hands of the recipient. Your disclaimer lets them know that the message they’ve received may contain sensitive information that’s not 100% secure. Of course, if you’re sending any sort of PHI through email you’ll need to use a secondary service that encrypts the data attached within the email. However, it helps point out that if the recipient chooses to respond to you with private information they’re doing so at their own risk.
Third, it helps protect against sending to the wrong recipient. A well-written clause contains a statement requiring that unauthorized users are to forward the email to the correct party and/or properly dispose of it.
Fourth, it helps guide patients on how to respond. The best email footers explain to patients what they should and should not include in order to protect and guide them. This also indirectly guides them through their conversation with you.
Since there are two separate parties involved in an email exchange, you can’t control everything that happens or gets sent your way. But as a healthcare provider, it’s your responsibility to do whatever you can in order to protect your patient’s most sensitive information.
Before I conclude this section I want to reiterate that, although you should include a HIPAA-compliant email disclaimer, it doesn’t absolve you from your liabilities.
Do not ever send PHI through email unless it’s encrypted.
How Do I Add a Disclaimer to My Organization's Email?
If you’re a part of a large hospital or healthcare organization, adding a company-wide email signature is a responsibility that lands on the desk of your IT department.
However, for smaller practices, it’s important that you assign this responsibility to one or two tech-savvy individuals on your team.
You don’t want everybody in your office knowing how or having the capabilities to change their signature on an individual level.
You’re opening yourself up to more risk by giving your entire team permission to change what’s included by default at the end of their correspondence.
Your employees…
May forget to add the required messaging
Might format it incorrectly
Could leave out important clauses
Might edit the copy to what they want instead of what’s required
Each scenario above puts your organization at risk for non-compliance. The last thing you want is to implement an ineffective HIPAA-compliant email disclaimer. Doing so would end up putting you in the same position you were in when you didn’t have one.
With that, let’s look at how to set up a company-wide signature for some of the most popular providers.
Setting up a Company-Wide Footer in Gmail
Since Gmail is the most popular provider, we’ll start here. Although you could change your user’s signatures on an account basis, you’ll want to set something company-wide as it’s much more manageable.
To do this, you must first navigate to your Google Admin portal.
Once you’re on the page above, you’ll see that there are a ton of different options to select. It’s great that the Admin portal is so customizable, but at the same time it’s a little overwhelming. Without prior knowledge of what to do, you might spend hours trying to find a way to add a companywide signature.
From the main dashboard, click on the “Apps” button.
Once clicked, you’ll immediately notice that there are fewer options available within this section. Of course, you could spend your time clicking in and out of the different icons to try to find what you need but that takes time you don’t have.
Within the “Apps” section, click on the “GSuite” button.
The G Suite section is a little bit different than the others. Instead of tiled buttons it’s user-interfaces switches to a list. This list contains all of the G Suite services you have available for your domain.
On this screen, you’ll want to click on “Gmail” from within the list.
Now we’re getting somewhere. This area will show you all of the different things you can customize and configure for your emails, company-wide. However, you won’t find how where to edit your footer on the first page.
From within the Gmail section, you’ll want to scroll down to “Advanced Settings” and click on it.
Can you believe how buried setting up your footer is within Google’s Admin portal? You could spend hours looking for it. But we’re almost done.
Once you’re in the “Advanced Settings” section, scroll down until you find the “Compliance” section. Within that section, hover your mouse over the “Append Footer” section and click on the “Configure” button that appears.
As soon as you click the “Configure” button a pop-up text editor appears. You’ve finally made it to where you have to be in order to add your company-wide HIPAA email disclaimer. Add and format your text to your liking. Once you’re done, click the “Add Setting” button.
It’s important to note that there are two numbered steps within the “Append Footer” section. The first step is the text editor, pretty straightforward.
However, the second step is a little more interesting. The pop-up asks you whether or not you’d like to append the footer to emails sent within the company. It’s not required for you to choose either option. However, for the sake of keeping your employees constantly aware that they need to abide by HIPAA, I recommend that you check the box and enable this setting.
Setting up a Company-Wide Footer in Outlook
Microsoft has a great how-to section within its customer wiki that explains their process for appending a footer to all of your employees’ email addresses. But, for the sake of this blog post I’ll also break it down.
In Outlook, company-wide signatures are exclusively referred to as disclaimers. The first thing you’ll want to do is navigate to the Microsoft 365 admin center.
From there, click on the Exchange option from the left-hand menu.
Once clicked, you’ll bring up the Exchange dashboard. Similar to Gmail, there are a ton of different settings within this section. However, for the sake of the task at hand, you’ll want to click on the “Mail Flow” button on the left-hand side.
From there, the user-interface will change to a familiar-looking screen. It’s a list, but instead of listing all of the options available for you to edit, Microsoft placed them all within a dropdown menu labeled as a plus sign.
You’ll want to navigate to and select the dropdown menu. Once selected, click on the “Apply disclaimers…” option.
Once you’ve made your selection, another window will appear. Microsoft turned their settings into “Rules.” In other words, instead of turning off or on a certain option, you’re establishing them based on different criteria and logic.
The first thing you’ll want to do when you start creating your Apple Disclaimers Rule is to name it. Name it something like “HIPAA Footer” so you know what it is when you come back to it in the future.
After that, you’ll have to go through the conditional statements and dropdowns. The first statement is “Apply this rule if…” In this step you’ll want to select the “[Apply to all messages]” option at the very bottom.
The second logic statement is “Do the following…” which is the action item for the rule. Here you’ll want to verify that the option that reads “Append the disclaimer.”
After you’ve set the conditions for your new rule, it’s time to add your text. On the right-hand side of the pop-up, select the “Enter text…” hyperlink. Clicking that link opens up the textbox where you add your HIPAA disclaimer.
Unlike Gmail, if you want to change the look of your disclaimer you’ll have to do it with HTML.
After you’ve finished writing and formatting what you want your footer to look like, scroll down and ensure that you’ve selected “Enforce” as the mode for the rule.
Select save, and your new signature is now automatically added after every email your team sends.
Simple HIPAA Email Disclaimer Examples
OK, now that we know why adding a footer explaining your responsibility as a healthcare provider is important and how to set them up, it’s time to look at some examples.
It’s possible that you followed along with the steps above to set up your footer, got to the part where you enter the text and realized that you don’t know what to say.
Are there specific phrases you’re required to include? How long should it be? What should it look like?
These are all valid questions and I plan to answer them by looking at a few different examples.
Before I list the examples, I want to go over a disclaimer you shouldn’t use as a template. If you’ve ever watched a professional sport on TV before you’ve seen and heard their privacy policy video in between commercial breaks.
I’m talking about the one that goes, “Without the expressed, written consent of [insert league here].”
Yes, it sounds very official and the fact that they fit all of the legalese they need to within a 10-second clip that isn’t sped up is impressive.
However, this is not an appropriate disclaimer to add at the bottom of your emails as a healthcare provider. They created it based on copyright laws. You have more responsibility than a professional sports organization.
Example 1: Short and to The Point
This message is confidential. If you believe you received this message in error, please inform the sender and delete this message and all attachments.
The average attention span of an adult in today’s technology-driven world is just 8 seconds. For the sake of comparison, in 2000 it was around 12 seconds. In just 20 years we’ve seen a drop in our ability to focus by 4 seconds. Believe it or not, that’s significant.
The point I’m trying to make with that statistic is that, sometimes the simpler approach is the better one. If your footer is a paragraph or two, written in a font that’s smaller than the body of your email, most people won’t bother reading it.
However, if it’s only a few more words formatted in an easily digestible format, we’re much more likely to take the extra second to read it.
Example 2: Step-by-Step
CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain confidential information which is intended only for the use of the individual(s) or entitled named. If you receive this e-mail message in error, please immediately notify the sender by e-mail and delete it. Dissemination, forwarding, printing or copying of this e-mail without prior consent of the sender is strictly prohibited.
Thank you for your compliance.
This is an effective footer for a healthcare organization because it covers all bases within three sentences.
The first clause states that the information provided within the email may contain confidential information. Second, it tells the recipient what to do if they’re not the intended recipient. Third, it wraps up by explaining what isn’t allowed by those who receive it.
Finally, below the legal phrasing is a callout thanking the recipient for complying with the conditions provided. This part is not only separate, but it’s also in a larger font. That makes it stand out to the user and turn their attention to the footer.
Example 3: Regulation, Website, and Policy Callout
HIPAA mandates that we encrypt our messaging correspondence to maintain confidentiality. Since email/text communication isn’t inherently encrypted, it is our policy and duty as a healthcare entity to not use email/text when sharing confidential information. For more information, visit [TERMS OF SERVICE WEBPAGE LINK]. If you receive this message in error, please notify the sender immediately.
Let’s look at a more casual approach than the first two. Instead of hitting the user with strict, legal wording our third example uses simpler wording.
What makes this footer great is that it provides a clickable link to the organization’s terms of service page. In other words, if you want to avoid potentially losing your reader’s to legal phrasing, you can keep things a little bit more casual and link to a page that contains all of the legalese necessary to adequately cover your business practices.
Furthermore, this disclaimer references HIPAA and an internal policy of the organization. Both of these assure your patients that you’re emailing that you take their data and compliance seriously.
Example 4: HIPAA and CAN-Spam Compliance
CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain confidential information which is intended only for the use of the individual(s) or entitled named. If you receive this e-mail message in error, please immediately notify the sender by e-mail and delete it. Dissemination, forwarding, printing or copying of this e-mail without prior consent of the sender is strictly prohibited.
Thank you for your compliance.
Click here to unsubscribe
As healthcare companies continue their efforts toward marketing themselves, they’re inadvertently taking on more responsibilities when sending emails. Outside of HIPAA, sending messages to your clients or prospective patients also need to be compliant with the CAN-SPAM act.
I’m not going to go into great detail about the CAN-SPAM act but, in a nutshell, the act spells out requirements for promotional emails. To elaborate, your marketing messages can only go to those people who’ve given you their contact information.
If you’re sending a monthly newsletter with updates about your practice, there are certain pieces of information you need to include within your footer…
Name
Mailing address
A way to unsubscribe
If you’re already doing this for your newsletter, you might as well include this information within your email disclaimer as well.
You’ll more than likely already have the contact information above your disclaimer. Including that accomplishes the majority of CAN-SPAM requirements. Adding the unsubscribe link tells your patients that you care about their communication preferences. Those who unsubscribe from you have a different preference.
Example 5: Blunt With Acknowledgement
Etactics is compliant with HIPAA regulations.
You may contact our office at (330) 342-0568 to learn about our privacy policy and how we collect, keep, and process your private information in accordance with these laws.
Let’s look at a more blunt approach to the email disclaimer.
Sometimes it is best to outright state that you are compliant with the HIPAA laws and regulations.
In the first section of the footer, the sender informs the recipient that the sender of the email is a HIPAA compliant organization. The second section of the footer informs the recipient that if they have any questions, they can contact the office at the number provided.
This type of footer is effective in communicating to the recipient that their protected health information (PHI) is safe and secure. The recipient can trust your organization to be HIPAA compliant. This trust is further confirmed with the company providing a means to be transparent with the recipient of the email.
Example 6: Outline The Consequences
NOTICE: This e-mail message is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any review, copying, forwarding, retention, dissemination, distribution, or disclosure of this communication is strictly prohibited. If you attempt to violate these rules, legal action will be taken.
Please email legalteam@yourdomain that you have received the message in error and then completely delete/destroy it.
Thank you.
Some people will only follow guidelines if the email mentions legal consequences.
This footer example outlines all the prohibited actions of individuals that aren’t meant to receive the email. The footer then threatens that anyone who doesn’t follow the instructions can face legal consequences.
Why make a threat and even mention the legal team?
HIPAA violations and leaked personal health information (PHI) can result in fines and other legal repercussions for the organizations involved. Any individual using the PHI for their personal benefit can also face persecution.
Therefore, anyone who receives the email in error and isn't familiar with HIPAA regulations may not know about its potentially severe consequences.
So the threat isn’t really a threat. The statement in the footer is for the recipient’s own good. They need to know the severity of sharing private medical information.
Conclusion
Whether you’re the owner of a small healthcare practice or a compliance officer for a large facility, you realize the importance of HIPAA compliance.
Although there are many facets to the regulation, there are certain things you can implement into your organization within a few minutes that can have a massive, positive effect on your compliance environment.
Adding a company-wide HIPAA email disclaimer falls under that category. They aren’t spelled out as a requirement within the law but by implementing them you’re further enhancing your employees and patient’s awareness of the law you have to abide by.
In this blog post we explore if HIPAA laws apply to employers and how.