- HIPAA-compliant email ensures that Public Health Information (PHI) is secure during transmission and storage in compliance with HIPAA Privacy and Security Rules. Securing PHI with encryption protocols is advisable but not mandatory per HIPAA regulations. But there are no effective alternatives so, realistically, encryption is essential.
- Third-party email service providers must sign a business associate agreement (BAA) before hosting or transmitting emails with PHI. G Suite and Enterprise E3 and E5 versions of Microsoft Office 365 are HIPAA compliant. End-to-end encryption and two-factor authentication are also required to prevent data breaches.
- You should have policies and procedures around safe email practices and HIPAA Compliance training programs for employees to use email correctly.
Did you know that of the 713 major healthcare data breaches in 2021 that affected over 45.7 million people, more than a third (258 events) of the breaches was sourced from emails?
This tells us that not all healthcare organizations may have a handle on securing patient data in emails.
Even if they don’t send marketing emails to patients, they’re still sending informational and transactional emails to doctors, vendors, patients, and so on. And these emails contain protected health information (PHI).
What should catch your attention is how large the fines are for email-related HIPAA violations:
- Lifetime Healthcare, a health insurer, was fined $5.1 million for a data breach that affected 9.3 million patients.
- Banner Health paid a fine of $200,000 for being in violation of HIPAA’s right of access requirement.
So does HIPAA allow you to use email to talk about treatment and health issues with patients?
The US Department of Health and Human Services (HHS) established HIPAA in 1996 to protect sensitive patient data, including email communications. As email technology has advanced, so have HIPAA’s rules around credible controls to prevent data theft and snooping.
HIPAA compliance for email is a misunderstood topic because you need to have physical, network, and procedural security measures to safeguard emails with PHI. Signing a business associate agreement (BAA) with the email provider only guarantees that they will protect the emails in a HIPAA-compliant manner. But this protection does not extend to when they’re being transmitted over the Internet to patients.
In this article, we will explain how you can send HIPAA-compliant emails and what are the risks of not doing so.
What Is the Best HIPAA Compliant Email?
HIPAA-compliant email involves sending email with PHI securely to the recipient’s inbox via measures such as end-to-end encryption. Email transmission and storage should comply with the HIPAA Privacy Rule and HIPAA Security Rule.
- The HIPAA Privacy Rule establishes standards to safeguard PHI. It places limits and conditions on the access, use, and release of PHI without patient authorization.
- The HIPAA Security Rule establishes the administrative, physical, and technical safeguards to protect electronic PHI (ePHI).
What this means is that HHS allows covered entities and business associates to send ePHI through email but they must do it securely. If you send PHI in emails without encryption, it is a HIPAA violation and will cause a serious data breach should it fall into the wrong hands.
The sender’s obligation to safeguard PHI ends once the email lands in the recipient’s inbox. From here on, the recipient should secure the PHI.
If you host or send ePHI via a third party, you need to obtain a signed BAA that outlines the safeguards the company will put in place to secure patient data.
No certification program exists for third-party email providers to certify themselves HIPAA-compliant. Covered entities must ensure that these email services have robust technical security measures in place and they follow the provisions of the HIPAA Privacy and Security Rules.
Source: Brighter Vision
Does HIPAA-Compliant Email Require Encryption?
Encryption makes data undecipherable during transmission and at rest. Transmit emails with PHI only after encrypting them with a third-party email encryption service or algorithms like AES and 3DES.
If the PHI is sent as an attachment, encrypt only the attachment. If it’s sent in the body of the email, secure the entire message.
HIPAA encryption requirements have two components – required and addressable.
- Required encryption protocols are mandatory to avoid HIPAA violations.
- Addressable encryption protocols can be implemented when a risk assessment deems it necessary to encrypt emails to protect ePHI.
If your cloud-hosted company decides not to put up encryption protocols, you must document the reasons for taking such a decision and apply an alternative solution to secure ePHI. Realistically, there’s no appropriate and equivalent solution to safeguard PHI in emails so we need encryption protocols.
You put your cloud-hosted company and your patients’ privacy at risk by omitting to set up encryption for emails with PHI. HHS’ Office for Civil Rights (OCR) enforces HIPAA compliance for emails by levying fines ranging from $100 to $1.5 million per incident depending on culpability and severity of the violation.
Florida Healthy Kids Corporation, Smile Brands Inc., Forefront Dermatology, and CaptureRx reported some of the biggest health data breaches in 2021, each incident affecting more than 151K people.
How to Send HIPAA Compliant Email
Implementing an email encryption service alone is not enough for HIPAA compliance. You must configure the service appropriately and use it correctly.
Here’s how you can do it:
- Ensure you have end-to-end encryption for email
You should have end-to-end encryption to make your email HIPAA compliant, which means you should configure data such that only the intended recipient and sender can read the contents of the email. The intended recipient receives a cryptographic key to unlock the message.
Consider using suitable encryption standards like AES 128, 192, or 256-bit encryption.
Encryption is vulnerable to the security of users’ devices. Hackers may get hold of the encryption key or access the decrypted plain text emails. To avoid this, you can implement multifactor authentication and endpoint security programs to prevent unauthorized account access.
- Sign a business associate agreement with your email provider
When you use a third-party email service provider, you should get a signed BAA before sending an ePHI. The BAA sets out the responsibilities of the service provider and mandates that PHI be secured with administrative, physical, and technical safeguards.
Source: Adelia Risk
- Set up your email service correctly
Even if you have a BAA with your email service provider, it does not make you automatically HIPAA compliant. You must configure your email service correctly to have end-to-end encryption in place.
Gmail, Yahoo, Outlook.com, GoDaddy, and HostGator are NOT HIPAA-compliant. Google’s data shows that 87% of Gmail’s outbound emails are encrypted—which isn’t good enough for HIPAA.
You can make Gmail HIPAA compliant by purchasing G Suite and using it along with a business domain. G Suite enables administrator controls on users such as requiring the use of two-factor authentication and limiting email use on mobile devices.
Google signs a BAA for its paid services, not for Gmail. You enter a virtual agreement with Google when you open an administrator account on your cloud-hosted company’s G Suite profile.
- Create email regulations and provide training to your employees
Develop policies that include safe email practices to make email HIPAA compliant.
Train your employees to use email correctly to safeguard PHI. For instance, an employee may write an encrypted email with PHI on their laptop but forget to lock it when leaving the workstation for a break. The PHI is now exposed to anyone who passes by—this is a HIPAA violation.
Use appropriate technology to prevent human errors such as accidentally sending ePHI to unauthorized individuals or forgetting to encrypt an email.
Source: Adelia Risk
- Before communicating with patients via email, get their permission
Even if you use a HIPAA-compliant email service provider, seek written consent from patients before sending ePHI in emails. HIPAA rules state that you are not responsible for the email service your patients use and that they have a right to get unencrypted emails.
Take the following steps to fulfill your responsibilities:
- Inform patients about the risks to data confidentiality, privacy, and security when sent via email. If they still want to receive it, you can send the PHI.
- Document your conversations with patients to protect yourself in the event of OCR investigations.
- Seek legal guidance on HIPAA and email compliance
Consult with a healthcare attorney who is a HIPAA compliance specialist to ensure that your cloud-hosted company meets the requirements for HIPAA compliant email.
Email is a quick and convenient method to transmit information electronically, but it is not secure enough to meet HIPAA standards. Even with third-party encryption service providers, you will need to take additional technical security measures.
HIPAA compliance may seem confusing and inaccessible but Sprinto’s automated platform can help you become compliant through a simple four-step process.
Get a demo to learn more.
FAQ: How to Make Your Email HIPAA Compliant
- What is HIPAA compliant email?
Email that adheres to HIPAA Privacy and Security Rules to safeguard PHI contained within it is HIPAA-compliant.
- How to send a HIPAA compliant email?
To send HIPAA-compliant emails, your cloud-hosted company should have a signed BAA with the encryption provider, written patient consent to send emails, and end-to-end encryption in place.
- How to make email HIPAA compliant?
Follow these steps to make sure your email is compliant with the HIPAA Compliance Checklist:
- Have your encryption service provider sign a BAA.
- Get written consent from patients before sending ePHI in emails.
- Store emails with PHI in a secure archive.
- Use end-to-end encryption with standards like 3DES and AES.
- How to get a HIPAA compliant email?
Cloud email providers Google Workspace and Office 365 have agreed to sign BAAs to support HIPAA compliance. But use Google Workspace’s email service along with a business domain and end-to-end encryption to be HIPAA compliant. Enterprise E3 and E5 versions of Microsoft Office 365 comply with HIPAA rules.