HIPAA Compliant Email: Best Practice To Avoid Violations & Breaches
This practical guide to HIPAA compliant email services explains how to achieve best practice compliance by avoiding the common misunderstandings and implementation errors that cause the preventable email violations that lead to breaches and fines.
It has become increasingly clear that many aspects of HIPAA compliant email are either not understood or badly implemented, leaving a large number of healthcare organizations of all sizes wrongly believing their email is both secure and HIPAA compliant. Unfortunately, many easily preventable issues only come to light after it is too late and a breach has taken place.
The Office for Civil Rights receives around 60,000 notifications of data breaches each year, of which many are wrongful disclosures of Protected Health Information (PHI) attributable to email violations.
What Is Required For HIPAA Email Compliance?
From an organizational perspective, when looking into HIPAA email compliance services there are three areas that should be considered, each of which is covered in more detail below:
1. HIPAA Compliance: What is required for HIPAA-compliant email as specified by the HIPAA Privacy and HIPAA Security Rules? This first step is to fully understand the pertinent regulations and their implications.
2. Cyber Security: What best practice security needs to be in place to cover ALL the potential breach risks associated with email, whether or not they are specifically mentioned in the HIPAA Security Rule?
3. HIPAA-Friendly Email Technology: With so many out-of-date, insecure, and complicated email systems still probably being used in healthcare organizations, what are the best practice HIPAA compliant email systems for both staff and patients?
Section One: HIPAA Compliance For Email
In this section, we cover the regulatory requirements for HIPAA compliant email and discuss the implications for many email systems currently in use at healthcare organizations.
What Is Required For A HIPAA Compliant Email System?
(a) Create Policies and Procedures: Organizations need to document best practice policies and procedures for the handling of email.
This should include getting each patient’s formal consent to communicate by email. Even with this consent in place, it is best practice to send an advance email to warn the patient if you are about to send an email to them with PHI included. That way the patient knows the email is coming and can ensure that at their end there is no one apart from them able to access the email, such as a family member or a workplace colleague. This avoids potential misunderstandings and complaints.
It is also recommend that a policy is implemented to ensure ALL emails sent internally or externally by all staff at your organization are fully secure. Why risk anything else when this is so easy to accomplish? A system where some emails are secure and others are not, based on staff who handle PHI and staff who don’t, always has an inherent risk of mistakes being made. Human error is a major cause of HIPAA violations.
(b) Secure Patient Information: Emails and their attachments need to be secure from when they leave your device to when the intended recipients read them.A secure email is akin to a letter sealed inside an envelope, where the content is not exposed at any point.
(c) Implement Email Retention: Email retention is not specifically mentioned in HIPAA rules but it is recommended for a number or reasons. An individual patient can request an accounting of disclosures of PHI at any time, and this would include all email communications. In the event that legal action is taken against the organization, emails will very likely be required to mount a defense. And finally, state law requires emails to be stored for a fixed period of time, usually six years. Therefore healthcare organizations must implement a secure and accessible email retention system. This also means emails should not be deleted and this instruction should be included in your policies and training.
Even for small to medium-sized healthcare organizations, storing 6 years of emails (the federal requirement, there are also local state requirements), including attachments, requires considerable storage space. By implementing a secure, encrypted email archiving service rather than just using email backups, an organization will free up storage space on its servers. In addition, since an email archive is indexed, searching for specific emails is a quick and easy process. Conversely, email backups are often just a single file containing all the emails, and finding a specific email is like searching for a needle in a haystack.
(d) Implement Audit and Access Controls: Robust administration access settings need to be in place to ensure the integrity of your email system so that only the people who need access to email settings and storage have access.
(e) Provide Employee Training: All employees in the organization must be made aware of their responsibilities and current best practices regarding the handling and transmitting of PHI via email. We recommend that this should be covered in both your general HIPAA training AND in your security awareness training because of its importance.
HIPAA email training should include awareness of the Minimum Necessary Rule which requires that when using or disclosing PHI, or when requesting PHI from another covered entity, only the minimum amount of information necessary to accomplish the intended purpose should be used or disclosed. It also means that only individuals who need access to PHI for their job role should be included in the email communication.
(f) Sign A Business Associate Agreement (BAA): A BAA must be in place with any vendors handling or processing PHI on behalf of a covered entity or another business associate. Without an appropriate BAA in place, you are not HIPAA compliant. The BAA should outline the responsibilities of the service provider and specify the administrative, physical, and technical safeguards that will be used to ensure the confidentiality, integrity, and availability of PHI.
The requirements listed above are the six pillars of HIPAA compliant email services. However, with hackers becoming ever more sophisticated, and technology advancing rapidly, the implementation of HIPAA compliant email needs to be carefully considered and reviewed at least once a year during your organization’s annual HIPAA risk assessment.
We will now take a look at some of the important implications arising from the HIPAA email regulatory requirements just discussed.
What Are The Implications And Common Misunderstandings Of HIPAA Email Rules?
(a) Free Email: None of the commonly used free email services are HIPAA compliant and cannot be made so. This is because none will provide a business associate agreement or enter into one. This includes Gmail, Yahoo, AOL, and Hotmail, plus many more. Small or single-person healthcare practices using their name followed by the “@gmail.com” free email service to communicate with patients are breaking HIPAA rules. This does not apply to the paid versions, such as a Google Workspace account.
(b) Paid Email: Out-of-the-box email solutions, including Google Workspace and some versions of Microsoft Office, are not HIPAA Compliant or fully secure in their default settings. This is because email systems were created to ensure messages are delivered, and this sometimes means compromising the level of security. So for example, if you use the best up-to-date secure email, but the recipient’s email provider doesn’t, then the security of your email message will be downgraded to ensure it can be delivered. In other words, it will change from a sealed letter to an open postcard.
Google’s own data tells us that over 15% of Gmail messages are delivered without encryption. This may be fine for the majority of organizations not in healthcare, but for a covered entity sending PHI, it is a HIPAA violation.
(c) Fulfilment of HIPAA Obligations: Without proper email retention and email archive search functionality your organization may be HIPAA compliant in theory, but for practical purposes, you will have no simple way to produce email history for audit or record requests.
Section Two: Cyber Security For HIPAA Compliant Email
In this section, we explain, with as little technical jargon as possible, all the security requirements that need to be in place for HIPAA compliant email.
HIPAA Compliant Email Service Providers
In recent years a few vendors have created HIPAA compliant email services that have been specifically designed to adhere to all the required HIPAA regulations. They include all the necessary security and management technology which is set up correctly out of the box to be HIPAA compliant. The market leader in HIPAA compliant email is Paubox.
It is recommended that you download The HIPAA Compliant Email Checklist which can be used to rate your current email services or any new vendor you are considering.
What Is Required For HIPAA Compliant Cyber Security?
Not all security measures are specifically listed in the HIPAA security rules, however, the General Rules of the Security Rule (§164.306) include a standard that requires a covered entity or business associate to protect against ANY reasonably anticipated threats or hazards to the security or integrity of PHI, and ANY reasonably anticipated uses or disclosures that are not permitted.
In effect, this means that it is the organization’s responsibility to stay up to date on potential security issues and implement the best possible HIPAA compliant email services that include all the latest security measures. These are listed below:
(a) Encryption: As discussed above, securing email containing PHI from end to end is the a security requirement of HIPAA. Although there are other more complex methods available, this should be done with “encryption”.
When you send an encrypted email, the message is automatically turned into a scrambled code during transmission and can only be read by the intended recipient who has the means to automatically unscramble it. This ensures that the information stays private and secure, even if it is intercepted by unauthorized parties. While no system is entirely secure, the correct usage of encrypted email significantly increases the difficulty for hackers to gain access to email content.
The standard of encryption used is also important because some previous encryption standards that were considered secure are no longer a best practice. Organizations can consult The National Institute of Standards and Technology for advice on the latest and most suitable encryption standards for email services.
Please note the availability of HIPAA compliant email solutions that can be used as standalone email systems, but also in conjunction with, as a HIPAA enhancement, for almost all existing email systems, including Goole Workspace Email and Microsoft Office Email to essentially “upgrade” them for full HIPAA compliance. From a HIPAA perspective, it is better that an email in not delivered and you receive a notification letting you know, which allows you to consider an alternative option rather than committing a HIPAA violation.
(b) Email Phishing Protection: Phishing is the most common way IT systems get hacked, often leading to serious HIPAA breaches. Phishing is a type of cyber attack where scammers try to trick people into giving away sensitive information, like passwords, by pretending to be a trustworthy source. The email messages often look legitimate but lead to fake websites. Protecting against phishing attacks involves a combination of technological solutions and user education.
Technology can include email filters and spam protection systems that help detect and block phishing emails before they reach the user’s inbox. Anti-phishing software solutions can detect and block phishing attempts by analyzing web traffic and identifying malicious websites designed to steal user credentials. These systems analyze email content for known phishing characteristics, such as suspicious links, unusual sender addresses, and typical phishing language patterns.
(c) Spam Protection: Email spam protection is a system designed to detect and block unwanted or potentially harmful email messages from reaching a user’s inbox. This includes filtering out advertisements, phishing attempts, and other malicious emails that can pose risks to users and their organizations. By filtering out malicious emails that might contain malware or viruses, spam protection helps prevent cyber attacks that could compromise the security of the organization’s network and the PHI it stores.
(d) Virus Protection: A computer virus is a type of malicious software, also known as malware, designed to replicate itself and spread from one computer to another. It attaches itself to clean files and can infect other files, programs, and systems when the infected files are opened or executed. Viruses often carry a payload, which is the part of the malware that performs harmful actions such as deleting files, stealing data, or taking control of a system.
Installed on email servers and user devices, virus protection solutions scan emails, including attachments and links in emails for viruses. The software is automatically updated with the latest virus definitions to protect against new threats and provide continuous monitoring and real-time protection of email traffic. The software will quarantine or delete infected files to prevent the spread of the virus.
(e) Ransomware Protection: Ransomware is a type of malicious software that encrypts an organization’s files or locks them out of their system until a ransom is paid to the attacker.
Ransomware security protection involves a range of measures and tools designed to prevent, detect, and respond to ransomware attacks. In addition to antivirus software, phishing detection, spam filters, and email filtering discussed above, ransomware includes endpoint protection which monitors and secures individual devices against ransomware attacks along with the entire network of devices.
Section Three: HIPAA-Friendly Email Technology
As discussed above, HIPAA compliant email touches many different areas and has implementation implications that, without using the right technology. can make compliance and security more complicated than it needs to be
What Technology Should Not Be Considered?
Whether due to inertia or cost concerns, unfortunately, there are many out-of-date, insecure, and horribly complicated email systems still being used by far too many healthcare organizations. In their day they were perhaps considered the best solutions available, but technology has moved on considerably since then.
We briefly discuss some of these outdated services that require patients or staff, to work or think about something that can now be automated. This leaves unnecessary room for error and human error accounts for the vast majority of email-related HIPAA violations.
(a) Encryption As An Option: Some email service providers require individual emails to be encrypted by clicking a button. This is an unnecessary burden on staff who have to make a decision on whether to encrypt an email or not. In a busy and pressurized work environment, it is easy to overlook that there is PHI in the email or to forget to press an encrypt button or type a keyword before sending an email.
(b) Portals: Security portal technology was developed in the early 2000s and requires patients to log in to a webpage to retrieve the email sent by the healthcare organization. This can involve up to seven cumbersome steps. Older patients find them difficult, and recent surveys have shown that younger patients actively seek out more technologically advanced healthcare practices.
(c) Apps: Smartphone email apps were developed to handle email encryption but unfortunately are just as cumbersome as portals and also require the patient to use their phone rather than a laptop or desktop computer.
(d) Passwords: Relying solely on password protection for a document is inadequate and has already resulted in publicized HIPAA fines. Using only password protection when sending a document containing PHI via email is not a HIPAA-compliant practice and should be avoided.
What Is The Best HIPAA Email Solution?
Several vendors offer technology that has been designed specifically for HIPAA compliance while also offering the highest standard of cyber security protection. Rather than being cobbled together with potential gaps, they are fully fit for purpose, yet usually not any more expensive than any other offerings on the market.
Using their “set and forget” solutions ensures your organization is HIPAA compliant and brings the peace of mind that comes from comprehensively managing cyber security risks.
Use Zero Step Email Encryption: Zero step email encryption is a service that eliminates the need for senders to perform any special activity to manually encrypt an email, or for the email recipient to log into a portal or enter a password to read an email. The encryption is done automatically to prevent human error and we highly recommend this is implemented throughout any organization that is a covered entity or a business associate.
Only Consider Email Vendors With HITRUST CSF Certification: We also recommend that any email vendor worth consideration as your new provider has HITRUST CSF Certified status. This demonstrates that their solution has met all the key regulatory and industry-defined requirements, and they are appropriately managing risk. By including federal and state regulations, standards, and frameworks, and incorporating a risk-based approach, HITRUST helps email vendors address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls. It is an extra stamp of approval that means you can trust the vendor.
HIPAA Compliant Email Checklist
Please download our HIPAA Compliant Email Checklist which provides a summary of this article in a list format to assist you to objectively compare up to three solutions side by side.
This can also be provided to your IT department or MSP to help them understand what needs to be in place.
