Why Personal Email Accounts are not HIPAA Compliant
Personal email accounts are not HIPAA compliant because it is necessary to have a Business Associate Agreement in place with the email service provider before including Protected Health Information in the content of an email, and email service providers will not enter into Business Associate Agreements with personal customers.
When you send an email from any type of email service hosted by a third party email service provider (i.e., Gmail, Outlook, Yahoo, etc.), the email travels from your device to your provider’s mail server. When it reaches your provider’s server, it is either stored on the server until the recipient logs into their account, or – if the recipient uses a different email service – forwarded to their provider’s server, where it is stored until the recipient logs into their account.
In both scenarios, your email service provider is conducting a service on your behalf by storing and facilitating the delivery of your email. If you are a HIPAA covered entity, and your email contains Protected Health Information (PHI), your provider qualifies as a business associate and it is necessary for you to obtain satisfactory assurances that the provider will appropriately safeguard the information via a Business Associate Agreement.
Email service providers with the capabilities to appropriately safeguard PHI in compliance with HIPAA are willing to enter into Business Associate Agreements – but they won’t do it for free. Consequently, HIPAA covered entities wishing to send PHI via email are required to subscribe to a business or enterprise plan with the email service provider in order to meet the “satisfactory assurances” requirements of the HIPAA Privacy and Security Rules.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
This is the Only Reason Personal Email Accounts are not HIPAA Compliant
Some sources suggest that personal email accounts are not HIPAA compliant because they lack the necessary encryption and security controls. However, this is not the case. Most personal email accounts support data encryption at rest and in transit, and most include tools to review account activity, archive emails, and access accounts in an emergency. It is also possible to configure some personal email accounts to auto-lock after a period of inactivity.
With regards to other Administrative, Physical, and Technical Safeguards, most email services include malware protection and password managers as standard. Because emails are stored in the cloud, the email service provider has the responsibility for complying with physical access, backup, and storage requirements – leaving the requirement to enter into a Business Associate Agreement as the only reason why personal email accounts are not HIPAA compliant.
Note: While it might be possible to manage the confidentiality, integrity, and availability of electronic PHI in a personal email account when a HIPAA covered entity is a sole practitioner, it is far more difficult if multiple workforce members use personal email accounts to send or receive PHI. For this reason, it is important workforce members speak with a Privacy or Security Officer before using a personal email account in any of the following circumstances.
Circumstances in Which Personal Email Accounts can be Used in Compliance with HIPAA
Although personal email accounts are not HIPAA compliant, there are circumstances in which they can be used in compliance with HIPAA to communicate PHI. These include when a patient exercises their HIPAA right to request confidential communications, and the request states the patient would like to be contacted from a personal email address because their email service is not private and they don’t want others seeing communications from “XYZclinic.com”.
Patients do not have to give an explanation why they are requesting confidential communications from a personal email address, and healthcare providers are required to accommodate reasonable requests – which this would be. However, healthcare providers can insist the request is made in writing and – in this case – it is advisable to obtain a valid HIPAA authorization from the patient authorizing the disclosure of PHI via a non-compliant channel.
Another circumstance in which personal email accounts could be used in compliance with HIPAA is if a healthcare provider’s domain name is blacklisted or its business email service provider experiences an outage. These events should be accounted for in the contingency plan requirements of the HIPAA Security Rule, and policies and procedures should be developed to ensure any use of PHI via a personal email address is monitored and accounted for.
There may be other circumstances in which personal email accounts can be used in compliance with HIPAA even though personal email accounts are not HIPAA compliant. Healthcare organizations unsure about whether personal email accounts can be used in specific circumstances to communicate PHI are advised to discuss the specific circumstances with a HIPAA compliance professional.
