How to Make Your Email HIPAA Compliant
Making your email HIPAA compliant has the advantage of enabling you to communicate PHI in emails with patients, colleagues, and authorized third parties without risking a violation of HIPAA for impermissibly disclosing unsecured PHI. You can make your email HIPAA compliant by following three easy steps.
- First, if you are communicating ePHI to a patient or plan member, warn the recipient of the risks of communicating ePHI by email, obtain their consent to receive communications by email, and document both the warning and the consent.
- Secondly, use a HIPAA compliant email service that encrypts emails in transit and at rest. These are discussed in greater detail below.
- Thirdly, implement a secure email retention system to ensure the availability of ePHI and that you are able to respond to Accounting of Disclosure requests within the timeframe stipulated by the Privacy Rule.
How to Make Your Email HIPAA Compliant
Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant.
If your email network is behind a firewall, it is not necessary to encrypt emails. Encryption (or an equivalent protection) is only required when emails are sent beyond a firewall. However, access controls to email accounts are required, as it is important to ensure that only authorized individuals access email accounts that contain ePHI.
If you want to use email to send ePHI externally – beyond your firewall – you will need to make your email HIPAA compliant.
Get the FREE
HIPAA Checklist
Discover everything you need
to become HIPAA compliant
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant or incorporate all the necessary safeguards to meet the requirements of the HIPAA Privacy and Security Rules. To make your email HIPAA compliant there are several things to consider:
Ensure you have end-to-end encryption for email
Email is a quick and easy way to communicate electronically, but it is not necessarily secure. Even services that encrypt messages in transit may not have the required level of security to make them HIPAA compliant.
To make your email HIPAA compliant you should ensure you have end-to-end encryption, which encrypts both messages in transit and stored messages. Encryption controls ensure only the intended recipient and authorized personnel can access the messages.
Some email service providers require individual emails to be encrypted by clicking a button or using a portal. Since it is easy to forget to turn on encryption and accidentally send an unencrypted email, it is a better choice to encrypt all emails using “zero-step” encryption, not only those that contain ePHI. This will reduce the potential for human error.
The standard of encryption used is also important. While previously Data Encryption Standard (DES) was considered secure, that is no longer the case. You should consult NIST for advice on suitable encryption standards. Currently AES 128, 192, or 256-bit encryption is recommended for PHI at rest, and OpenPGP, S/MIME, or TLS for PHI in transit.
For many HIPAA covered entities, especially smaller healthcare providers that do not have in-house IT staff to ensure their email is HIPAA compliant, the use of a third-party HIPAA compliant email service provider is strongly recommended.
Research potential HIPAA compliant email service providers to ensure that they provide a service that is suitable for your requirements. A search on Google will produce several potential service providers, with Paubox being the leading vendor of HIPAA-compliant email.
Enter into a business associate agreement with your email provider
If you use a third-party email provider, you must enter into a business associate agreement prior to using the service for sending ePHI. The business associate agreement outlines the responsibilities of the service provider and establishes that administrative, physical, and technical safeguards will be used to ensure the confidentiality, integrity and availability of ePHI.
If an email service provider is not prepared to enter into a business associate agreement, you should look elsewhere. There are several email service providers who are prepared to sign a BAA to allow them to work with HIPAA covered entities and their business associates.
Ensure your email is configured correctly
Even when a BAA is obtained, there are still risks associated with email and it is possible to fail to configure the email service correctly and violate HIPAA Rules. Simply using an email service that is covered by a BAA does not make your email HIPAA compliant.
HIPAA compliant email providers such as Google and Microsoft help covered entities configure their services to support HIPAA compliance by publishing implementation guides. Please note that if subscribing to a Google Workspace Plan or M365 Enterprise plan, the business associate agreement only covers “in-scope services”. Other services included in the plan must not be used to collect, receive, store, or transmit PHI.
Develop policies on the use of email and train your staff
Once you have implemented your HIPAA compliant email service it is important to train staff on the correct use of email with respect to ePHI. There have been several data breaches that have occurred as a result of errors made by healthcare staff – for example, the accidental sending of ePHI via unencrypted email and the sending of ePHI to individuals unauthorized to view the information. It is important to ensure all staff are aware of their responsibilities under HIPAA and are trained on the use of the email service.
Ensure all emails are retained
HIPAA Rules on email retention are a little unclear as email retention is not specifically mentioned in HIPAA legislation. Since individuals can request an accounting of disclosures of protected health information, and email communications may have to be provided when legal action is taken against a healthcare organization, covered entities should maintain a secure email archive to ensure emails are backed up and stored. State laws may also require emails to be stored for a fixed period of time. You should therefore check the laws relating to email in the state(s) in which your organization operates. If in doubt, seek legal advice.
The retention period for security related emails and emails relating to changes in privacy policies should be retailed for a period of six years and HIPAA requires covered entities to store documentation related to their compliance efforts for 6 years.
Even for small to medium-sized healthcare organizations, storing 6 years of emails, including attachments, requires considerable storage space. Consider using a secure, encrypted email archiving service rather than email backups. Not only will this free up storage space, since an email archive is indexed searching for emails in an archive is a quick and easy process. If emails need to be produced for legal discovery or for a compliance audit, they can be quickly and easily retrieved.
As with an email service provider, any provider of an email archiving service will also be subject to HIPAA Rules as they will be classed as a business associate. A BAA would need to be entered into with the email archiving service provider and reasonable assurances obtained that they will abide by HIPAA Rules.
Obtain consent from patients before communicating via email
HIPAA covered entities should note that while it may be convenient to send emails containing ePHI to patients, consent to use email as a communication method should be obtained from the patient before any ePHI is sent via email, even if a HIPAA compliant email provider is used. Patients must be advised that there are risks to the confidentiality of information sent via email. If they are prepared to accept the risks, and the consent is documented, emails containing ePHI can be sent without violating HIPAA Rules.
Seek legal advice on HIPAA compliance and email
If you are unsure of the requirements of HIPAA with respect to email, it is strongly recommended that you speak with a healthcare attorney that specializes in HIPAA to advise you of your responsibilities and the requirements of HIPAA with respect to email.
How to Make Your Email HIPAA Compliant: FAQs
Why do you need to encrypt emails to be HIPAA compliant?
You need to encrypt emails to be HIPAA compliant because when you send an (unencrypted) email, the email is transmitted from your mail server to the recipient’s mail server in plain text via SMPT. It then “rests” in plain text until the recipient opens their email client. This is like sending a letter with the content of the letter written on the outside of the envelope. Anybody can intercept the email in transit or while it is at rest and read it.
If an email is encrypted, why is a BAA necessary?
If an email is encrypted, a BAA is necessary even when email service providers cannot read the content of encrypted emails because they have what the Department of Health and Human Services refers to as “persistent access” to ePHI. Consequently, email service providers qualify as Business Associates and a Business Associate Agreement has to be in place before the service is used.
Is HIPAA training on email use still necessary if emails are encrypted?
HIPAA training on email use is still necessary if emails are encrypted because, even though the email cannot be read by anybody other than the recipient and authorized users, the permissible uses and disclosures standards and the Minimum Necessary Rule still apply – something some members of the workforce may forget if they believe email is confidential and secure.
Why is patient consent necessary to communicate ePHI by email?
Patient consent is not necessary to communicate ePHI by email, but preferable in order to avoid potential misunderstandings and complaints. Misunderstanding and complaints can occur if – for example – an email is accessed by another member of the patient´s family or a workplace colleague, which is why it is better to have documented consent.
Under §164.522 of the Privacy Rule, patients have the right to request how they receive communications containing PHI from a Covered Entity. Some feel the provision of an email address is implied consent; however, it is better to obtain formal consent from a patient after warning them of the risks. Even if the consent is oral or implied, it should be documented.
Does encryption alone make email HIPAA compliant?
Encryption alone does not make email HIPAA compliant. Other factors required to make email HIPAA compliant include (but are not limited to) a business associate agreement being in place with the email service provider, access controls being implemented on email accounts, procedures for backing up, retaining, or archiving emails containing ePHI, staff training, and documented patient consent.
What is zero step email encryption?
Zero step email encryption is an email encryption service that eliminates the need for senders to perform an activity to manually encrypt an email and recipients to log into a portal or enter a password to read an email. The encryption process is done automatically to prevent human error while still ensuring the confidentiality, integrity, and availability of PHI in the email.
How is PHI protected when a patient receives an encrypted email?
PHI is only protected when a patient receives an encrypted email according to the patient’s security mechanisms and actions. Covered entities have no control over what happens to PHI once it has been sent to a patient and therefore no liability. If a patient leaves a mobile device unlocked or allows someone else to view the email, and a third party person shares the information without authorization, the covered entity is not at fault.
What are some common methods used for email encryption?
Common methods used for email encryption include OpenPGP (Pretty Good Privacy), S/MIME (Secure/Multipurpose Internet Mail Extensions), and TLS (Transport Layer Security). OpenPGP and S/MIME are used for end-to-end encryption while TLS is used for encrypting the connection between mail servers. Many HIPAA secure email services use a combination of encryption methods and/or proprietary encryption protocols.
What is end-to-end encryption in email?
End-to-end encryption in email is a form of communication security that prevents third parties from accessing data while it is transferred from one end system or device to another. In the context of email, this means the content of the message is encrypted from the time it leaves the sender’s device until it arrives at the recipient’s device.
Can encrypted emails be hacked?
While no system is entirely unhackable, encrypted emails significantly increase the difficulty for hackers to gain access to the email content. If the decryption key is kept secure, the chances of an encrypted email being hacked are very low. However, if a hacker were to somehow obtain the decryption key, or if there is a weakness in the encryption algorithm itself, an encrypted email could potentially be hacked.
Get the FREE
HIPAA Checklist
Discover everything you need
to become HIPAA compliant
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
