HIPAA compliance for email involves not only ensuring that the systems used to send, receive, and store emails support HIPAA compliance, but also that members of the workforce understand when it is permitted to send Protected Health Information by email – and when exceptions exist.
Because of the different ways in which covered entities and business associates use email, there are no definitive guidelines for HIPAA email compliance. For example, some organizations use on-premises email systems, while others subscribe to cloud email services offered by providers such as Microsoft, Google, and Zoho.
Some organizations use secure file-sharing systems to avoid to the need to implement a HIPAA compliant email service; while, for others, communicating Protected Health Information (PHI) by email is essential to support healthcare and billing operations, or to subcontract healthcare and billing operations to business associates.
In addition, healthcare providers can develop their own HIPAA email policies for communicating with patients. Some may only permit disclosures of PHI in emails to patients when patients have provided written consent or specifically requested email communications. Others may prohibit PHI in emails to patients entirely.
Is HIPAA Compliance for Email Necessary?
HIPAA compliance for email is not always necessary depending on the HIPAA “status” of a healthcare provider, whether PHI is communicated in emails, and other systems used by a covered entity or business associate to create, receive, store, or transmit PHI. The first thing to determine is the HIPAA “status” of a healthcare provider.
Why the HIPAA Status is Important
Not all healthcare providers qualify as HIPAA covered entities. Only those who conduct transactions electronically for which the Department of Health and Human Services (HHS) has published standards in Part 162 of the HIPAA Administrative Simplification Regulations are required to comply with HIPAA.
Those who do not qualify as HIPAA covered entities and who do not provide services to or on behalf of a covered entity as a business associate are not required to comply with HIPAA. This also means the HIPAA email rules do not apply – although other state privacy, breach notification, and licensing laws may still apply.
Is PHI Communicated in Emails?
HIPAA compliance for email is not necessary if PHI is not communicated in emails. For example, if information about a patient communicated in an email does not contain individually identifiable health information, the information in the email is not protected by the Privacy Rule (although state privacy laws may still apply).
Many healthcare providers can circumnavigate the requirement of HIPAA compliance for email by prohibiting PHI in emails except when a patient provides written consent or requests an accounting of disclosures by email, as these circumstances exempt a covered entity from having to comply with the HIPAA email rules.
What Other Systems Are In Use?
There are many other systems that can be used by a covered entity to create, receive, store, or transmit PHI that negate the need for a HIPAA compliant email system. If these systems are used and are not connected to – or integrated with – an email system, there is no requirements for an email system to be HIPAA compliant.
However, when an individual or organization qualifies as a HIPAA covered entity or business associate, when PHI is disclosed in emails, and when there are no other systems in use to communicate PHI, HIPAA compliance for email is necessary, and the first stage of being compliant is to conduct a HIPAA email risk assessment.
Conducting a HIPAA Email Risk Assessment
The purpose of conducting a HIPAA email risk assessment is to identify threats or hazards to the security and integrity of PHI created, received, stored, or transmitted by email, and to identify potential uses or disclosures of PHI in emails that are not permitted by the Privacy Rule. The risk assessment should also consider the possibility of “malicious insiders”.
Any threats or hazards identified in the risk assessment must be mitigated to a reasonable and acceptable level using whatever measures are available. This measures have to be implemented in addition to all applicable Administrative, Physical, and Technical Safeguards and the provision of HIPAA training to all members of the workforce.
In circumstances in which an individual or organization subscribes to a cloud email service, the cloud email service provider is responsible for many of the Physical Safeguards of the Security Rule. However, before any PHI is disclosed to a cloud email service provider, it is necessary to enter into a Business Associate Agreement with the provider.
It is also necessary to assess what measures the email service provider is using to protect the confidentiality, integrity, and availability of PHI. The current HIPAA encryption requirements are a minimum of AES-128 encryption for PHI at rest and TLS 1.2 for encryption in transit. However, not all email systems can decrypt emails protected by TLS 1.2, and it may be necessary to implement a secondary email service to ensure the deliverability of emails containing PHI.
HIPAA Compliance for Email: 10 Key Challenges
When conducting a HIPAA email risk assessment, these are 10 key challenges to watch out for and address:
Are you aware of how PHI is created and received, all locations in which PHI is stored, and all channels through which it is transmitted?
It has been estimated that around 40% of IT spending in large organizations is on unsanctioned cloud services and applications. The truth is that nobody knows the real scale of “Shadow IT”. However, if members of the workforce are using unsanctioned cloud services and applications to “get the job done”, it is important that these are included in the risk assessment and safeguards are implemented to support HIPAA compliance for email.
Are Business Associate Agreements in place with all email service providers and providers of HIPAA email encryption services (where applicable)?
In addition to identifying all channels through which PHI is transmitted, it is necessary to enter into Business Associate Agreements with the vendors of these channels. This not only applies to email service providers, but also to providers of HIPAA email encryption services when such services are used alongside an on-premises or cloud-based mail service – even when encryption service providers have “no view access” to PHI.
Are all members of the workforce trained on permissible uses and disclosures of PHI via email, and the sanctions for HIPAA violations?
All members of the workforce have access to PHI inasmuch as they can visually identify a patient being admitted for treatment and share that information impermissibly via a personal email account. For this reason, all members of the workforce should be trained on permissible uses and disclosures of PHI and the sanctions for violating any standards of the Privacy Rule as well as the covered entities policies (see §164.530(e)).
Do members of the workforce understand what the minimum necessary standard is and when it applies?
The minimum necessary standard (§164.502(b)) requires covered entities and business associates where applicable to only disclose the minimum necessary PHI by email to achieve the purpose of the disclosure. There are exceptions to the standard – for example, when PHI is disclosed for treatment purposes – and it is important for members of the workforce to understand both the standard and when it applies.
How are agreed upon restrictions, requests for confidential communications, and limited disclosures for identification managed?
When patients request that disclosures of PHI are restricted (§164.522(a)) or that confidential communications are sent by email (§164.522(b)), covered entities are required to accommodate reasonable requests. How these requests are complied with can impact uses and disclosures by business associates and disclosures required by law – especially those required for identification and location purposes (§164.512(f)).
When receiving a request for PHI to be disclosed via email, is the identity of the person making the request verified?
Section 164.312(d) of the Security Rule requires procedures to be implemented that “verify a person or entity seeking access to electronic protected health information is the one claimed”. Because of the risk of email account takeovers (i.e., via phishing), it is important procedures are implemented to mitigate the risk of sending patient information via email to an unauthorized person masquerading as the patient, a business associate, or a workforce member.
Are measures in place to prevent unauthorized password sharing? Are these measures enforced via a sanctions policy?
Compromised login credentials are a common cause of data breaches, yet 73.6% of respondents to a 2017 study admitted sharing passwords to systems containing PHI. The unauthorized sharing of passwords to email accounts increases the risk of a data breach. It is important that incidents of unauthorized password sharing are identified in a risk assessment, measures are introduced to prevent it, and the measures are enforced via a sanctions policy.
Are appropriate physical safeguards in place for HIPAA email compliance? Including when PHI is sent, received, or stored by mobile devices?
When organizations subcontract email services to a third party service provider (i.e., Workspace Gmail), the third party service provider is most often responsible for complying with the physical HIPAA rules for email security. However, the organization is still responsible for some physical safeguards – for example, restricting physical access to workstations and mobile devices on which PHI can be accessed.
Have HIPAA email policies been implemented that prohibit disclosures of PHI in the subject lines of emails and the file names of attachments?
An important consideration when complying with the HIPAA email encryption requirements is that most encryption solutions do not encrypt email metadata such as the subject lines of emails so that email inboxes are searchable. Organizations must implement HIPAA email policies that prohibit disclosures of PHI in the subject lines of emails and in the file names of attachments to prevent inadvertent disclosures of unsecured PHI.
How does the organization comply with the HIPAA email retention requirements? Can PHI and HIPAA documentation be retrieved within the allowed timeframes?
The HIPAA email retention requirements apply to different types of information in different ways. For example, an email containing PHI is a designated record set that must be available within 30 days to patients exercising their HIPAA rights to request a copy of PHI. Emails containing PHI must be retained or archived for as long as state laws dictate – unless the PHI in the emails is transferred to a HIPAA compliant repository (i.e., EHR, cloud storage, etc.) and the email deleted in compliance with §164.310(d).
By comparison, emails containing HIPAA documentation must be retained for a minimum of six years from when – for example – a HIPAA policy, a Notice of Privacy Practices, or a patient authorization sent via email is last in force. Such documentation must be made available to HHS’ Office for Civil Rights if it is requested to investigate a HIPAA compliant or conduct a HIPAA compliance investigation.
HIPAA Email Policies and Workforce Training
As well as implementing measures to comply with the Security Rule safeguards and any issues identified in a risk assessment, HIPAA covered entities and business associates must develop HIPAA email policies which stipulate the permissible uses of email when PHI is contained in the email’s content or in an attachment.
The policies should include the times when the minimum necessary standard applies, when patients are required to “affirmatively opt in” to receive communications by email, and how to report an impermissible disclosure of PHI (by oneself or by a colleague) or concerns that login credentials have been compromised.
Members of the workforce must be provided with training on the HIPAA email policies and advised on the sanctions for violating the policies. Both the provision of training and the warning of sanctions must be documented, and the documentation retained for a minimum of six years from when the policies are last in force.
It was mentioned previously that there are no definitive guidelines for HIPAA email compliance. Because of this, some covered entities and business associates can find HIPAA compliance for email challenging. If your organization is experiencing challenges in conducting a HIPAA email risk assessment, filling gaps in HIPAA compliance, or training members of the workforce on HIPAA email policies, you are advised to speak with a HIPAA compliance professional.
HIPAA Compliance for Email FAQs
Does HIPAA allow sending patient information via email?
HIPAA allows sending patient information via email provided the reason for sending patient information is permitted by the Privacy Rule, the patient information disclosed in the email is the minimum necessary to achieve the purpose of the email (where necessary), and – unless an exemption exists – the email service used to send patient information is HIPAA compliant.
What are the HIPAA rules for emailing patient information?
The HIPAA rules for emailing patient information are that emails can only be sent if the reason for sending patient information is required or permitted by the Privacy Rule, the service used to email patient information supports HIPAA compliance, and – if the service is provided by a third party service provider – a Business Associate Agreement is in place with the service provider.
Is encrypted email HIPAA compliant?
Encrypted email is HIPAA compliant – but only with the Safeguards for the security of PHI at rest and in transit. Encryption alone does not mean an email service is HIPAA compliant. The service must also have the capabilities to support compliance with other Safeguards of the Security Rule and be configured to ensure the service is used in compliance with HIPAA.
What is HIPAA compliant email encryption?
HIPAA compliant email encryption is email encryption that meets or surpasses the minimum standards published as guidance by HHS in 2013. The guidance states that PHI at rest must be encrypted to the AES-128 standard (or higher), and that PHI in transit must be encrypted to TLS 1.2 or higher, or to an equivalent FIPS 140-2 validated standard such as PGP or S/MIME.
What is the difference between HIPAA secure email and HIPAA compliant email?
The difference between HIPAA secure email and HIPAA compliant email is that HIPAA secure email complies with the Safeguards of the HIPAA Security Rule, whereas HIPAA compliant email complies with the Safeguards of the HIPAA Security Rule AND the permissible disclosures, minimum necessary, and other administrative standards of the HIPAA Privacy Rule.
What is a HIPAA disclaimer for email?
A HIPAA disclaimer for email is a block of text at the top or bottom of an email that warns recipients that the email or an attachment to the email contains PHI and should only be read by the intended recipient. A HIPAA disclaimer for email is not required by the Privacy or Security Rules and is not considered a mitigating factor for an impermissible disclosure of PHI.