HIPAA-Compliance: Messaging & Client Portals

At MerusCase, we take our HIPAA-compliance very seriously! Today, we're going to discuss a few key features that will allow you to interact with your clients, all the while keeping sensitive data completely secure.

First, sending a HIPAA-compliant email message is very similar to sending a regular email message through MerusCase. The only difference is that you'll need to send the message through your user+ account, which we will walk you through, below. (Note: if you do not already have your outbound email account setup with Merus, the "From:" address will default to your user+ account.)

In order to send a HIPAA-compliant message, all you have to do is follow these easy steps:

1. Go to Messages > Compose or click on click on Compose on the right side of your screen from you Inbox tab.
2. In the "From:" field of the Compose page, click on the drop-down menu that displays your email address.
3. Select your user+ address from the list, which should look something like "user+0123456@meruscase.net."
4. Continue composing your message as you normally would.

Now that you know how to send a HIPAA-compliant message, you might be asking yourself, what's a user+ account and what exactly does it do?

When you send an email from your user+ account in MerusCase, it prompts the receiver to sign into the MerusCase system in order to securely access the message and any attachments from your email, as you can see in the screenshot, below. Additionally, if the receiver of your email doesn't have a MerusCase account, they'll also be asked to create an account before they can access your message. In other words, non-Merus case users will activate a client portal in order to view any information you have sent them, such as messages or invoices.

Finally, why does the message need to be accessed through MerusCase in order to be HIPAA-compliant?

Sending and receiving messages exclusively through MerusCase allows us to keep your message, and all related information, encrypted on our servers. Alternatively, when you send an email without using your user+ account from MerusCase to an @gmail.com or other email account address, the message is then transferred from our severs to the servers of the receiver's email provider. When your data changes servers, we no longer have control over how and when that data is accessed. That said, by keeping the message solely on our servers, we can ensure that your message data remains completely encrypted and inaccessible by potentially ominous forces.

For more information on HIPAA and how it affects the work we do at MerusCase, feel free to take a peek at our White Paper, The HIPAA Final Omnibus Rule: New Changes Impacting Business Associates!

Click to Subscribe

Note: This post features MerusCase Version 3.9 or earlier. As such, this post may no longer be accurate. For the most current and up-to-date information about the latest version of MerusCase, please visit our documentation at docs.meruscase.com.