Is There a Free HIPAA Compliant Email Service?

Most businesses use email as their main form of communication due to its ease of use. However, when handling sensitive information, such as patients’ protected health information (PHI), it is essential to ensure that the email service you are using is HIPAA compliant. You may want to use a free HIPAA compliant email service. However, free HIPAA compliant email services don’t really exist. Although there are free email services, the free versions of email do not offer the protections necessary to comply with the Health Insurance Portability and Accountability Act (HIPAA).

What Protections are Required?

To use HIPAA compliant email, there must be protections in place to maintain the confidentiality, integrity, and availability of PHI. To safeguard protected health information, the following should be in place:

• Integrity controls are the policies and procedures implemented to protect data from alteration or destruction. Encrypting your data protects the information from unauthorized changes. 

• Access controls ensure that only the person(s) granted permission to view PHI has access to it. Restricting access to PHI ensures that there is no unauthorized access of PHI, such as by your children, spouse, or anyone else who handles your telephone, tablet or any computers.  

• Audit controls track and record who accessed PHI and when they accessed it.

• Transmission security involves monitoring how PHI is communicated, by tracking who is sending or receiving PHI. It also involves ensuring the integrity of PHI at rest; this refers to safeguarding PHI stored on your network through the use of encryption or a firewall. 

• ID authentication is a means to identify the person(s) accessing PHI. This is accomplished with personalized login credentials. 
• End-to-end encryption (E2EE) is required when transmitting PHI to a third-party via email. E2EE ensures that sensitive data is only viewable to authorized personnel.

As stated previously, free email services lack the above mentioned protections; as such, there are no free HIPAA compliant email services. In addition, to use email communication in accordance with HIPAA, covered entities (CEs) and HIPAA business associates (BAs) must first have a signed business associate agreement (BAA) with their email provider. A BAA is a legal document that dictates the protections that must be in place to secure PHI. A BAA also establishes permitted use and disclosure of PHI, and indicates  which party is responsible for reporting a breach should one occur.

Lastly, before using email to communicate with a patient, you must first have written consent from the patient to do so. If you regularly communicate with patients via email, it is recommended that you have patients sign a patient authorization form upon intake, authorizing you to communicate with them in this format. Staff must also be trained on the proper use and disclosure of PHI via email. This prevents staff from excessively accessing PHI, which is prohibited under HIPAA. Training also ensures that staff is aware that PHI cannot be sent to a patient via email without express written consent from the patient.

Is Gmail HIPAA Compliant?

Gmail, in its free version, is not HIPAA compliant. However, G Suite, which is a paid service in which users have access to several Google applications, is HIPAA compliant when used properly. Before using G Suite’s email in conjunction with PHI, users must obtain a business associate agreement. Google’s BAA is available with your G Suite subscription.

Additionally, you must configure G Suite to incorporate the protections necessary to be HIPAA compliant. Even with these configurations, to meet the E2EE standard, you must use a third-party encryption service, as G suite does not offer E2EE. 

Is Outlook HIPAA Compliant?

Outlook email has many forms, but the only version of Microsoft Outlook that is HIPAA compliant is through an Office 365 subscription. As previously mentioned, a business associate agreement must be signed with Microsoft before using the email service to transmit PHI. 

To get your Microsoft BAA click here.

Just like Google’s email service, Microsoft Office 365 must be properly configured before it can be used in conjunction with PHI. To configure Office 365 to the proper settings, the following should be enabled:

1. Enterprise-level encryption
2. Microsoft Exchange Online Protection
3. Data loss prevention measures
4. The ability to wipe data on mobile devices
5. Proper configuration of access controls
6. Single sign on and two factor authentication are enabled
7. Data backups