Secure Email Communication & Data Privacy

HIPAA Development Can be Tough. Let the Experts Help Encrypt and Secure your Data
Work With Us
medical billing portal best practicesbreadcrumb separatorsecure email communication and data privacy
Reduce Security Risks By Following These Policies

Email Communications for Medical Billing Portals

Medical billing portals use email communication for a number of reasons. Messages may be sent to communicate registration, confirmation, a recurring payment notice or another message directed to the end user or patient. Sometimes the email may include sensitive information and it's really important, from a medical billing provider perspective, to ensure considerations for what PHI (Protected Health Information) is shared and in what format.

One of the best policies is to restrict access to PHI data until someone is logged in to the medical billing portal. In some cases, portals send out a link along with a notification to a confirmed email address of a user. The email will simply inform the user of an update or a new unread message, without elaborating further or offering any other indication. Depending on the level of security that you wish to configure with your email, it is also possible to do things like encrypting an attachment and allowing the user to download it.

Moreover, it’s feasible to include some form of actual information, but not include details. For example, the message might be:

  • Important information about your recent test
  • Urgent message about your account
  • Notification or reminder of an upcoming billing
  • Payment processed successfully
  • Account balance zero

The above types of messages might be acceptable as long as they simply notify the user but don’t contain any sensitive information.

We generally recommend reviewing with a legal counsel if there's any uncertainty on what is acceptable in each particular circumstance. The capability certainly exists and we’re able to incorporate limited information with a link for the user to click, authenticate and then see more detail in a message center.

Additional Solutions to Utilize

Other Forms of Communication With Users

In addition to email, it's also quite helpful to utilize messaging within the medical billing portal itself. These would correlate with an email that goes out, which might let the user know that a new message was received or there's an unread message. Then the notifications would show throughout their experience and be consistently available for them to open and read. The notifications are marked as read after clicking and reading, so users will know they have completed the action.

The benefit here is that a user can see the notification even if they don't have access to their email. They will still get a visual indicator of an unread message and be notified, in spite of not seeing the email because -for whatever reason- they can’t view their inbox at the moment.

Depending on the sensitivity of the messages, it may be desirable to incorporate an additional verification for successful login. For added security, a multi-factor authentication can be employed whenever someone goes to view a message that contains sensitive data.

As an example, this type of behavior is commonplace on a lot of eCommerce applications, where you have to verify your identity or authenticate again before you can actually complete a purchase. On most instances this will be the case if you are using an existing credit card but sending to a different address. The same kind of thought process applies to medical billing portals. We basically want to consider the sensitivity level of the information about to be accessed, and whether we should redouble our efforts to verify the user is indeed who we believe them to be.

Bring In the Experts to Help

Privacy Considerations and Sensitive Information

One of the most important pieces of email or general messaging with a medical billing portal is the idea of PHI (Protected Health Information). To the extent that is attainable, we’ll want to make sure there's a clear distinction between notifying the user and keeping them advised, versus actually sharing sensitive information. That really is the distinguishing factor in any kind of messaging from a medical billing portal, including texts. Therefore, the same concept applies to all forms of communication. It's not a problem though to send a notice, an update, or let the user know that there's an unread message.

The usual behavior is to incorporate a link or some form of reference that would allow the user to read more at the messaging center within the billing portal itself. If you're using a medical billing portal app for mobile or tablet, it's still possible to deep link back to the application so the user can authenticate there before they access any of the sensitive information. The bottom line is keeping that PHI data inside the medical billing portal application. Users are notified and informed in a secure way, by using simple, helpful and -hopefully- not alarming messaging.

As a side note, it is possible to send actual sensitive data, not just as attachments, but also inside of the email itself using certain forms of encryption. We generally don't recommend this because the technology of email encryption can be challenging to maintain. The overall limitation is not necessarily technical but rather more of a potential user liability. It can be burdensome to ensure integrity if the users are not aware and they're not owning the liability of sensitive data leaks.

However, it may make sense to provide this ready access for administrators or certain roles within the application. This would require a secure mailbox that forces SSL for all communications, and a policy or rules on the account that dictate which information gets removed from access immediately (or very quickly). This guarantees that data doesn't stay around for long and all information is encrypted at rest. The information only gets unencrypted when a verified user actually authenticates on their email account.

To recap, there are some occasions that it might make sense to use actual PHI data in email, but the standard best practice is to avoid it. From a risk to reward perspective, it's usually best to simply have the users logging in, even if they're administrative users and accessing everything through a secure portal.

You’re always welcome to contact us if you have any questions or would like to review communication possibilities within medical billing portals. We‘ll be delighted to present the options for email, general notifications, application notifications or text messages and help you choose the most suitable solution. We welcome the opportunity to discuss your project and provide you with complimentary estimates.

Recent Search

HIPAA Compliance AngularJS Web Development ERP Sage Integrations Microsoft Dynamics Xamarin Framework Comparison Essential Website Features

Top Searches

B2B Supply Chain Management WooCommerce Integrations Catalog Product Tags Top B2B eCommerce Challenges Epic Integrations Optimizing Mobile Apps