HIPAA Compliance for Email

HIPAA compliance for email involves not only ensuring that the systems used to send, receive, and store emails support HIPAA compliance, but also that members of the workforce understand when it is permitted to send Protected Health Information by email – and when exceptions exist.

Because of the different ways in which covered entities and business associates use email, there are no definitive guidelines for HIPAA email compliance. For example, some organizations use on-premises email systems, while others subscribe to cloud email services offered by providers such as Microsoft, Google, and Zoho.

Some organizations use secure file-sharing systems to avoid to the need to implement a HIPAA compliant email service; while, for others, communicating Protected Health Information (PHI) by email is essential to support healthcare and billing operations, or to subcontract healthcare and billing operations to business associates.

In addition, healthcare providers can develop their own HIPAA email policies for communicating with patients. Some may only permit disclosures of PHI in emails to patients when patients have provided written consent or specifically requested email communications. Others may prohibit PHI in emails to patients entirely.

Is HIPAA Compliance for Email Necessary?

HIPAA compliance for email is not always necessary depending on the HIPAA “status” of a healthcare provider, whether PHI is communicated in emails, and other systems used by a covered entity or business associate to create, receive, store, or transmit PHI. The first thing to determine is the HIPAA “status” of a healthcare provider.

Why the HIPAA Status is Important

Not all healthcare providers qualify as HIPAA covered entities. Only those who conduct transactions electronically for which the Department of Health and Human Services (HHS) has published standards in Part 162 of the HIPAA Administrative Simplification Regulations are required to comply with HIPAA.

Those who do not qualify as HIPAA covered entities and who do not provide services to or on behalf of a covered entity as a business associate are not required to comply with HIPAA. This also means the HIPAA email rules do not apply – although other state privacy, breach notification, and licensing laws may still apply.

Is PHI Communicated in Emails?

HIPAA compliance for email is not necessary if PHI is not communicated in emails. For example, if information about a patient communicated in an email does not contain individually identifiable health information, the information in the email is not protected by the Privacy Rule (although state privacy laws may still apply).

Many healthcare providers can circumnavigate the requirement of HIPAA compliance for email by prohibiting PHI in emails except when a patient provides written consent or requests an accounting of disclosures by email, as these circumstances exempt a covered entity from having to comply with the HIPAA email rules.

What Other Systems Are In Use?

There are many other systems that can be used by a covered entity to create, receive, store, or transmit PHI that negate the need for a HIPAA compliant email system. If these systems are used and are not connected to – or integrated with – an email system, there is no requirements for an email system to be HIPAA compliant.

However, when an individual or organization qualifies as a HIPAA covered entity or business associate, when PHI is disclosed in emails, and when there are no other systems in use to communicate PHI, HIPAA compliance for email is necessary, and the first stage of being compliant is to conduct a HIPAA email risk assessment.

Conducting a HIPAA Email Risk Assessment

The purpose of conducting a HIPAA email risk assessment is to identify threats or hazards to the security and integrity of PHI created, received, stored, or transmitted by email, and to identify potential uses or disclosures of PHI in emails that are not permitted by the Privacy Rule. The risk assessment should also consider the possibility of “malicious insiders”.

Any threats or hazards identified in the risk assessment must be mitigated to a reasonable and acceptable level using whatever measures are available. This measures have to be implemented in addition to all applicable Administrative, Physical, and Technical Safeguards and the provision of HIPAA training to all members of the workforce.

In circumstances in which an individual or organization subscribes to a cloud email service, the cloud email service provider is responsible for many of the Physical Safeguards of the Security Rule. However, before any PHI is disclosed to a cloud email service provider, it is necessary to enter into a Business Associate Agreement with the provider.

It is also necessary to assess what measures the email service provider is using to protect the confidentiality, integrity, and availability of PHI. The current HIPAA encryption requirements are a minimum of AES-128 encryption for PHI at rest and TLS 1.2 for encryption in transit. However, not all email systems can decrypt emails protected by TLS 1.2, and it may be necessary to implement a secondary email service to ensure the deliverability of emails containing PHI.

HIPAA Email Policies and Workforce Training

As well as implementing measures to comply with the Security Rule safeguards and any issues identified in a risk assessment, HIPAA covered entities and business associates must develop HIPAA email policies which stipulate the permissible uses of email when PHI is contained in the email’s content or in an attachment.

The policies should include the times when the minimum necessary standard applies, when patients are required to “affirmatively opt in” to receive communications by email, and how to report an impermissible disclosure of PHI (by oneself or by a colleague) or concerns that login credentials have been compromised.

Members of the workforce must be provided with training on the HIPAA email policies and advised on the sanctions for violating the policies. Both the provision of training and the warning of sanctions must be documented, and the documentation retained for a minimum of six years from when the policies are last in force.

It was mentioned previously that there are no definitive guidelines for HIPAA email compliance. Because of this, some covered entities and business associates can find HIPAA compliance for email challenging. If your organization is experiencing challenges in conducting a HIPAA email risk assessment, filling gaps in HIPAA compliance, or training members of the workforce on HIPAA email policies, you are advised to speak with a HIPAA compliance professional.