HIPAA Compliance for Email
There is considerable confusion about HIPAA compliance for email and the steps covered entities must take to safeguard the confidentiality, integrity, and availability of electronic protected health information (ePHI). Does HIPAA compliance for email mean encryption must be used? Can web-based email services be used without violating HIPAA Rules? How does HIPAA apply to email storage? Before we answer these questions, it is worthwhile debunking a few myths about HIPAA compliance for email.
Myths About HIPAA Compliance for Email
A common myth about HIPAA compliance for email is it is necessary for all emails to be encrypted. However, an equivalent safeguard can be used to protect ePHI transmitted in emails and encryption would not be required if emails are only sent internally via a secure server behind a firewall. Encryption is not required if emails are sent that do not contain ePHI.
If emails are sent outside an internal network, beyond the protection of a firewall, then safeguards must be implemented to meet Security Rule requirements. In such cases, encryption would be an appropriate security measure.
If the decision is made – following a risk assessment – not to use encryption, that decision, along with the reasons why, must be documented. Without documentation, it would not be possible for a covered entity to demonstrate to regulators that encryption has been considered and the implementation specification has not simply been ignored.
Another common myth about HIPAA compliance for email is it is not possible to send PHI to patients via unsecured email or to a web-based email account. HIPAA does not prohibit this, but it would first be necessary to obtain written consent from the patient before any PHI is sent. Patients must also be informed that this method of communication is not secure and there is a risk that their PHI may be intercepted.
Another common misconception is that web-based email is not HIPAA-compliant. Many web based email services have safeguards in place that would allow them to be used by HIPAA-covered entities. However, before any web-based email service is used to send PHI, the covered entity must confirm with the service provider that the service is HIPAA-compliant and a business associate agreement must be obtained. The BAA must detail the responsibility of the service provider with respect to ePHI. Without a BAA and assurances from the service provider, web-based email services cannot be used.
HIPAA Security Rule Requirements
The HIPAA Security Rule does not prohibit the use of email to communicate PHI. Email can be used to send PHI provided the covered entity implements the technical safeguards detailed in 45 CFR § 164.312(a) – Access Control, 45 CFR § 164.312(c)(1) – Integrity, and 45 CFR § 164.312(e)(1) – Transmission security. The covered entity must also ensure audit controls are in place, in accordance with 45 CFR § 164.312(b).
Access controls are required to prevent unauthorized individuals from gaining access to PHI. Integrity controls will ensure ePHI cannot be deleted or tampered with, while transmission security ensures messages cannot be intercepted in transit. Audit controls are necessary as covered entities and regulators must be able to examine activity related to ePHI.
Covered entities must also ensure that all emails are kept for a period of 6 years. Since the volume of emails sent and received by covered entities over a six-year period would require significant storage space, the use of a secure, email archiving service is wise. HIPAA-compliant email archiving solves storage issues, all emails are indexed and the archive is searchable which makes retrieving emails easy in the event of a HIPAA-compliance audit.
Covered entities should only choose an archiving service that encrypts emails and attachments at source before they are sent to the archive. Covered entities should also check how emails are stored and whether the messages are encrypted to NIST standards. A business associate agreement must also be obtained from the service provider as they would be classed as a business associate under HIPAA Rules.
HIPAA-Compliant Alternatives to Email
One solution to many of the issues with HIPAA compliance for email is to use an alternative method of communicating PHI. Many healthcare organizations have opted to implement a secure text messaging service instead of using email.
Text messages are convenient and they can be sent to mobile devices which speeds up communication. Secure text messaging platforms offer the benefits of texting, but in a secure environment with access and audit controls, encrypted transmissions and user identification. The platforms can also be used to send medical images and other attachments as with email.
The platforms can serve as a replacement for pagers and a secure and more convenient alternative to email. As with email archiving, the solution provider is classed as a business associate and would be required to sign a BAA and provide assurances that any ePHI transmitted via the platform would be secured according to HIPAA standards. Provided that is the case, secure messaging solutions can be used without violating HIPAA Rules.