The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What is a HIPAA Compliant Email Service?

Posted By on Apr 2, 2024

A HIPAA compliant email service is an email service which includes the necessary capabilities to support compliance with HIPAA and which is provided by a vendor willing to enter into a Business Associate Agreement. There are different types of HIPAA compliant email service, and it can be important covered entities select the right service for them.

When a HIPAA covered entity sends, receives, or stores Protected Health Information (PHI) via an email service, it is important the email service has capabilities that allow the covered entity to comply with the requirements of the Security Rule and that the capabilities are configured in such a way that the email service is used in compliance with HIPAA.

What are the Necessary Capabilities of an Email Service?

Because of the requirement that an email service is used in compliance with HIPAA, the necessary capabilities of a HIPAA compliant email service are not limited to those required by the Technical Safeguards of the Security Rule (§164.312). This is because the General Requirements of the Security Rule (§164.306) require a covered entity to:

  • Protect against any reasonably anticipated threats or hazards to the security or integrity of PHI.
  • Protect against any reasonably anticipated impermissible uses or disclosures of PHI.
  • Ensure compliance with the Security Rule by its workforce.

Compliance with the Technical Safeguards will not be sufficient to ensure compliance with the General Requirements. For example, the Technical Safeguards do not require covered entities to adopt best practices for preventing phishing attacks or implement Data Loss Prevention (DLP) solutions to mitigate the risk from insider threats – both of which can be reasonably anticipated.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

However, different covered entities face different threats and hazards. To identify what capabilities are necessary for an email service to be used in compliance with HIPAA, covered entities should conduct a risk assessment and implement a HIPAA compliant email service – with additional services if necessary – which supports their risk management plan.

What is HIPAA Compliant Email Encryption?

Encryption is mentioned twice in the Technical Safeguards of the Security Rule – once in the context of preventing unauthorized access to PHI at rest (i.e., when a cybercriminal hacks into a network server), and once in the context of guarding against unauthorized access when PHI is in transit (i.e., man-in-the-middle attacks via public Wi-Fi services).

Unless the mail service is hosted in a covered entity’s infrastructure, the email service provider (Microsoft, Google, Paubox, etc.) is responsible for HIPAA compliant email encryption at rest and in transit. However, some email service providers offer customers a choice of encryption protocols for data in transit, and covered entities need to be aware of the pros and cons of each.

TLS Encryption

The default encryption protocol used by most HIPAA compliant email providers for data in transit is Transport Layer Socket (TLS) encryption. This type of encryption encrypts the connection between a sender and a recipient rather than the content of the email so that anti-phishing scanners and DLP solutions can still check for threats and impermissible disclosures.

The disadvantage of TLS encryption are that, if the recipients email server does not support TLS encryption, the email will be delivered in an unencrypted format or returned to the sender depending on how the mail server has been configured. This used to be a rare event, but may become more common as support for TLS versions 1.0 and 1.1 is phased out.

S/MIME Encryption

Secure Multipurpose Internet Mail Extension (S/MIME) encryption has the advantages of validating the source of each email (to reduce spam, malware, and phishing) and ensuring the integrity of data in transit (as required by §164.312(e) of the Technical Safeguards). It does this by “signing” each email at the point of creation and encrypting its contents.

The disadvantages of S/MIME encryption (and the similar OpenPGP encryption) is that anti-phishing scanners and DLP solutions cannot read the content of encrypted emails; and, because fewer organizations have adopted S/MIME encryption, more emails will have their encryption protocols changed to TLS at the point of delivery or be returned to the sender.

Proprietary Protocols

Proprietary encryption protocols can resolve the issues of compatibility by delivering email via TLS versions 1.2 or 1.3 whenever possible; and, when delivery is not possible, by sending the recipient a link to a web portal where they can access, read, and download the email. However, while resolving the issue of compatibility, propriety protocols can create new issues.

One of the issues with this type of HIPAA compliant email encryption is that users have to click a plug-in button every time they send an encrypted email. The recipient may also have to go through several processes before they can access the email. If opting for this type of HIPAA compliant email encryption, covered entities are advised to look for an email service that encrypts emails by default and that minimizes the process for accessing emails.

Why HIPAA Secure Email Alone is Not Enough

Subscribing to a HIPAA secure email service is just the first step of operating a HIPAA compliant email service. Most email services do not come pre-configured to support compliance with HIPAA, so it is important the capabilities of the HIPAA secure email service are configured in such a way that the email service is used compliantly by members of the workforce.

Most email service providers publish guides on “HIPAA implementation” or can help covered entities configure the software to meet their requirements. However, it is the responsibility of covered entities to train members of the workforce on how to use the services compliantly – not only with regards to their technical use, but also with regards to permissible disclosures of PHI, patient consent and authorizations, and the minimum necessary standard.

Business Associate Agreements and Addendums

In all circumstances in which a covered entity subscribes to a HIPAA compliant hosted email service (e.g., the service is hosted in the cloud by the service vendor) the covered entity must enter into a Business Associate Agreement with the vendor if the service is going to be used to collect, receive, store, or transmit PHI (or archive PHI when an archiving service is included).

This HIPAA requirement exists even when a service provider cannot access PHI because it is encrypted. The Department of Health and Human Services (HHS) clarified the requirement in an FAQ published on its website which states: “a cloud service provider that maintains PHI for the purpose of storing it will qualify as a business associate […] even if the provider does not actually view the information because the entity has persistent access to the PHI”.

Choosing the Best HIPAA Compliant Email Service

Choosing the best HIPAA compliant email service requires more than doing an Internet search of review sites. It requires serious considerations of the necessary capabilities, what type of HIPAA compliant email encryption to use, and how easy it will be to configure the service and train members of the workforce to ensure the service is used compliantly.

In addition, it may be necessary to review the content of vendors’  Business Associate Agreements before subscribing to a service. Most software vendors have “one-size-fits-all” Business Associate Agreements or Addendums to their Terms of Service because it would be too complicated to comply with the terms of individual Agreements. Some of these Agreements have conditions that may be contentious to covered entities under certain circumstances.

Once a risk assessment has been completed, covered entities are advised to create a shortlist of potential HIPAA compliant email services and take advantage of free trials whenever possible. This will allow covered entities to evaluate each service’s capabilities and ease of use in their own environment and test each vendor on their HIPAA knowledge. Covered entities that require help with evaluating HIPAA compliant email services should seek independent compliance advice.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist