How to Send HIPAA Compliant Email? (Best Practices)
Meeba Gracy
Sep 20, 2024Imagine this. You have built HIPAA-compliant software, trained your staff, and have a dedicated HIPAA compliance officer to oversee your compliance requirements.
But you can still get pulled up by the Office of Civil Rights (OCR) if your email isn’t HIPAA compliant!
Is your email HIPAA compliant? This is what we are going to discuss in this article.
HIPAA compliance software ensures your healthcare organization adheres to the highest standards of data protection while collecting, storing, transmitting, or processing Protected Health Information. Some important terms:
Protected Health Information (PHI): Any data that could identify a person and their health conditions.
Covered Entities (CE): Healthcare providers, insurance companies, and clearinghouses that process transactions, create, store, or share PHI.
Business Associate (BA): Agencies, vendors, and other companies that help HIPAA-covered entities conduct operations involving PHI.
What is HIPAA compliant email?
HIPAA-compliant email is a secure and private mailing service used by healthcare professionals to mail protected health information (ePHI) to patients and other healthcare professionals. It encrypts and protects PHI from being accessed by miscreants.
Becoming HIPAA compliant needn’t be this complex
Why should the emails shared by healthcare providers be HIPAA compliant?
In 2011, a phishing attack occurred at Metro Community Provider Network, a Denver-based non-profit organization that offers medical and health education services. This gave the hacker access to employee email accounts after one of them responded to the initial email.
Consequently, this put the information of 3200 patients at risk and made history for HIPAA compliance issues.
This is where HIPAA-compliant emails play a decisive role. Healthcare providers need to use and send HIPAA compliant emails because it ensures patient privacy in all forms of communication.
According to HIPAA, emails containing any form of ePHI shared outside the internal network should be encrypted. This prevents content from being accessed by miscreants and when sent to the wrong recipient by mistake.
So, the first rule of avoiding unauthorized disclosure of PHI is to get the email address right!
Don’t let the complexities of HIPAA compliant email worry you!
For example, if an email is sent to the incorrect recipient or intercepted by someone who wasn’t its intended recipient, the encryption on the email will protect any sensitive information contained within.
Healthcare providers risk violating patient privacy without proper compliance and facing severe consequences.
The HIPAA-compliant email encryption of data is just one of the many email security solutions you can opt for. Whether it’s the right option for your situation depends on the HIPAA risk assessment and analysis that establishes how severe the potential threat of not encrypting your email data is.
For example, encryption would be rendered unnecessary if all emails containing ePHI are kept within a secure network and access is restricted to authorized individuals.
The penalties for HIPAA email violations range from $1k to $1.5 million depending on the severity of the violations. Let’s take a look at the fines per year for HIPAA email violations in detail:
Penalty Type | Fine (Per year) |
Willful neglect (Issues corrected within a reasonable time) | $10k to $50k |
Willful neglect (Issue is not corrected within time) | $50k – $1.5M |
Unavoidable with reasonable care | $50k – $100k |
Violation despite reasonable care | $1k – $50k |
How to make your email HIPAA compliant?
Emails that contain a patient’s ePHI requires protection under HIPAA compliance. In order to ensure the email adheres to the set standards, it needs to be encrypted with 3DES, AES, or other third party algorithms. In case the PHI is sent as an attachment, the file should be encrypted accordingly. Similarly, if the ePHI is passed on as the body of the email, the email needs to be encoded.
Here are the 9 steps to make your email HIPAA compliant:
HIPAA-compliant email encryption for your emails
According to HIPAA guidelines, emails containing ePHI sent outside your organization must be encrypted to ensure privacy and security. For this reason, it is important to encrypt all emails containing sensitive information.
There are several ways to encrypt emails, and many HIPAA compliant email providers offer encryption as a built-in feature. If you’re unsure how to encrypt your emails, your email provider should be able to provide instructions.
Please be advised that even if your service provider can encrypt the emails you send, double-check that it has access controls. This way, its contents are only accessible to the intended recipient and sender.
Some email providers require users to encrypt their emails manually, but this can easily be forgotten. To avoid human error, it is best always to encrypt your emails using encryption standards like AES 128, 192, or 256-bit encryption.
For example, while Gmail is HIPAA compliant, this only applies to the paid version of Google Workspace not the widely-used @gmail.com accounts.
Make sure your staff has access to PHI and is aware of HIPAA rules
Specify who in your team needs PHI access to send patients data on email. And ensure only the staff that’s required to send such emails to have access and not everyone else.
The next step is to train your staff to use email correctly and safeguard PHI.
For instance, employees may write an encrypted email containing PHI on their laptops but forget to lock the device when leaving for a break. Now anyone who passes by has access to the PHI, violating HIPAA regulations.
Use the right technology to avoid human errors, such as sending ePHI to unauthorized individuals by mistake or forgetting to encrypt an email. Also, make sure to maintain an archive of emails related to security and changes in the privacy policy for at least 6 years.
Also check out: Various types of HIPAA rules
Share PHI via email only when it is required
When sharing a PHI with patients or employees, double-check if it is absolutely required. There’s always a risk that the email can be sent to the wrong person or potentially even intercepted by miscreants.
Before sending an email, confirm the recipient’s address and include a privacy statement reminding them that email is not a secure form of communication.
For example, check their information from a directory or past emails. This helps protect both you and the recipient and ensures that patient privacy is maintained.
Take a backup of all email communications
Following HIPAA rules includes keeping PHI backed up, including email communications. However, the minimum timeline for retaining patient information mandated by HIPAA guidelines is six years. Keep in mind that this varies from state to state.
If you’re transmitting any confidential information, whether it’s patient medical records or sensitive staff information, it’s crucial to document and archive that transmission.
It will keep you covered should any HIPAA issues arise. Peace of mind is an added bonus!
However, keeping a record on a local hard drive works. But let’s face it, why risk a possible power outage, security breach, or worse?
The answer is simple – invest in a cloud backup solution for your organization. It offers reliable protection and compliance with HIPAA standards, ensuring that all your important documents are safe from physical damage and human error. Don’t wait until it’s too late – secure your transmissions now.
Recommended: A quick guide to data retention
Get patients’ permission before communicating via email
To send PHI via email, it is important to receive written consent first from the recipient. A BA or CE must also inform that even the best email client, like Google or Yahoo, can never guarantee total security.
So, what can you do?
Only send emails from devices with password protection and updated anti-virus software, avoid using easily guessable passwords, and refrain from sharing login information. Many businesses opt for a secure online portal that has its password and account.
In this case, the email communication would only be notifications informing the patients when they have a new message in their portal account-nothing more.
Use HIPAA-compliant email software to share details
In order to stay compliant with HIPAA, PHI must be protected while at rest (e.g., through unique user accounts and passwords) and in transit. This means the email must be encrypted each time it crosses the Internet or another insecure network.
Free webmail services, such as Gmail and Hotmail are not secure for the sharing of PHI. Take for instance, in 2012, Phoenix Cardiac Surgery was fined $100,000 for not protecting their data and using an internet-based email service to practice administration.
This is where BAA comes into play; the Business Associate Agreement (BAA) is a contract that requires the healthcare provider and the email service provider to maintain certain standards of conduct.
Both Microsoft and Google have signed BAAs.
Even though signing a BAA protects you somewhat, it is not foolproof. The Omnibus rules state that the covered entity is still responsible for ensuring the business associate does everything they are supposed to do according to the agreement.
If either party is found in violation of HIPAA, fines will ensue. Typically, the BAA only covers their server; the responsibility for protecting any other part of the data falls on the shoulders of the CE.
Get legal advice from a healthcare attorney
It’s important to seek legal advice from a healthcare attorney. Only a qualified professional can help you find an email service that meets the strict security and privacy requirements of HIPAA.
Email is a common way for healthcare providers to exchange information securely, but it’s important to make sure the service is configured correctly to protect against data breaches and unauthorized access.
A healthcare attorney can help you choose a service that is both secure and compliant with HIPAA regulations.
No matter what policies you put in place, you’re not a healthcare attorney to check the validity of everything. This is why you should start working with a legal healthcare attorney to ensure you’re HIPAA compliant.
Secure all the devices that have access to PHI
Be that as it may, a secure platform is a proper way to communicate with a patient. But are you securing your ePHI devices securely?
Whether you store the PHI on mobile devices or servers, you must ensure the information is safe and out of reach from prying eyes.
For example, an employee may forget where their mobile device is from time to time because they’re small and portable. Losing the device could have negative consequences.
However, remember that if the device containing PHI is lost, it is only considered a breach if it doesn’t have proper encryption.
So, what can you do to keep all the devices with access to PHI safe?
- Use encryption to safeguard health information stored or transmitted by portable devices.
- Use a password or other user authentication tools. (They are the first line of defense, after all)
- Install software that allows you to remotely disable or erase data from your portable device if it gets lost or stolen.
- Do not install or use file-sharing applications.
- Use a firewall to protect your computer from hackers by blocking unauthorized access. To get started, install and enable a firewall on your device.
- Keep your computer safe from harmful viruses and attackers by installing security software.
- Investigate portable applications before downloading them.
- Use adequate security measures to ensure ePHI is safe when sending or receiving it over public WiFi networks. (Secure WiFi connections)
- Ensure you have wiped your device of all health-related data before you get rid of it.
Provide HIPAA training to your staff
In the age of remote work and bring-your-own-device policies, it’s even more critical to have clear training on how to handle PHI. This includes understanding the importance of encryption when sending PHI through email as well as obtaining a patient’s consent before sharing their information.
For example, if the PHI is included in the body text of the email, the message must be encrypted. If the email contains an attachment, the attachment with PHI should be encrypted.
It’s also crucial for staff to be aware of all PHI identifiers that qualify as PHI and prevent accidentally sending sensitive information through insecure channels.
Consistent and ongoing education in this area is momentous for ensuring compliance and protecting patient privacy.
If you are also looking to understand how to make sure your software is HIPAA-compliant then click here.
Join Sprinto’s 450+ satisfied compliance conquerors
How to select the right HIPAA-compliant email service?
When choosing a HIPAA compliant email service provider, encryption is one of the best features you must look out for.
To keep the PHI, use an email provider with end-to-end email encryption. E2EE encrypts both messages in transit and stored messages.
Furthermore, any emails with PHI must also follow the rules set by NIST. This rule necessitates that email providers utilize resources like AES 128 or 256- bit encryption, OpenPGP, 192, or S/MIME to be HIPAA compliant.
Here’s a list of features you have to look out for when considering an email platform apart from email encryption:
- SSL connection
- Open-source software code
- Email expiration
- AES, OpenPGP, and RSA cryptography
- Doesn’t track or log PII (personally identifiable information)
- Servers are stored in nuclear bunkers underground
- Ethereum Blockchain Technology
- Outlook, Gmail, and O365 add-ins
- Web-only version
- Email archiving and data storage
- Two-factor authentication
- Custom domain names
- Unlimited email aliases
- Uses HIPAA, SOC 2, PCI DSS, VISA, and SSAE 16 compliant data centers
- Access logs and login audit trails
- Spam protection
- Email filtering
- Virus scanning
- Phishing protection
- Email reports
- Blanket TLS compliant email encryption
- Real-time analytics
- HITRUST CSF certified
- 24/7 customer support
Also check out: HIPAA compliance checklist
What’s Next?
Using a HIPAA-compliant email is just one of things you must do in order to become and stay HIPAA compliant. One small slip-up can result in costly penalties and damage to your reputation.
Using Sprinto’s compliance automation platform helps you manage the many HIPAA rules and requirements from the comfort of an intuitive and comprehensive dashboard.
You can conduct comprehensive risk assessments, employee training, and use our editable policy templates to ensure you stay compliant with all HIPAA regulations. Plus, our in-app references provide a clear understanding of the potential impact of any unresolved risks. Don’t risk it – let Sprinto help you start your journey toward complete email HIPAA compliance today. Talk to us!
Breeze through compliance with Sprinto just like our other (450+) happy customers
FAQs
Is there a free HIPAA-compliant email?
Yes, RMmail offers a free email service for those organizations who just need to send encrypted HIPAA compliance email occasionally. However, the downside is that free mail allows you to send only five encrypted emails per month.
This is why it is better to get paid versions like Google workspace, Virtru, Barracuda or Hushmail that have advanced features for different pricing.
Is Gmail HIPAA compliant?
While you may use Gmail for all your emailing needs, it’s essential to know that the version of Gmail that’s popularly used isn’t HIPAA compliant. However, if you want to continue using Gmail, sign up for Google workspace–the paid version designed specifically with businesses in mind.
Unfortunately, you’ll have to purchase a separate email encryption service plan from another source to protect your emails. In addition, the setup process is complicated, and Google’s support for it is limited.