In A3 of the FAQ’s in this OCR doc, it seems pretty clear that no such service is necessary. Even encryption isn’t required under the act. Just reasonable procautions in the way of verifying who you’re sending to making a reasonable effort to limit the information being transmitted. Anyone have any experience in this area?
Does the HIPAA Privacy Rule permit health care providers to use e-mail to
discuss health issues and treatment with their patients?
Yes. The Privacy Rule allows covered health care providers to communicate
electronically, such as through e-mail, with their patients, provided they apply
reasonable safeguards when doing so. See 45 C.F.R. § 164.530©. For example,
certain precautions may need to be taken when using e-mail to avoid
unintentional disclosures, such as checking the e-mail address for accuracy
before sending, or sending an e-mail alert to the patient for address confirmation
prior to sending the message. Further, while the Privacy Rule does not prohibit
the use of unencrypted e-mail for treatment-related communications between
health care providers and patients, other safeguards should be applied to
reasonably protect privacy, such as limiting the amount or type of information
disclosed through the unencrypted e-mail. In addition, covered entities will want
to ensure that any transmission of electronic protected health information is in
compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164,