HIPAA Compliant Email: What is Required

In the age of technological advancement, especially in the healthcare industry, it is important to understand which technologies are safe to use in a healthcare setting. The Health Insurance Portability and Accountability Act (HIPAA) established a set of standards that those working in healthcare must abide by, one of which is the obligation to have secure communications, such as HIPAA compliant email. 

The convenience of communicating through email, has led many organizations to use it to communicate amongst themselves as well as with patients. Email is subject to the HIPAA Security Rule and therefore must have the proper measures in place before it can be used to transmit electronic protected health information (ePHI). However, traditional email is not HIPAA compliant. That begs the question, how can your organization use email in a HIPAA compliant manner?   

The Department of Health and Human Services (HHS) recommends anyone handling PHI have email protection systems in place. 

What are Email Protection Systems?

Email protection systems safeguard protected health information (PHI), HIPAA compliant email must have:

  • Integrity controls are the policies and procedures implemented to protect data from alteration or destruction. Encrypting your data protects the information from unauthorized changes. 
  • Access controls ensure that only the person(s) granted permission to view PHI have access to it. Restricting access to PHI ensures that there is no unauthorized access of PHI, such as by your children, spouse or anyone else who handles your telephone, tablet or any computers.  
  • Audit controls track and record who accessed PHI and when they accessed it.
  • Transmission security pertains to monitoring how PHI is communicated by tracking who is sending or receiving PHI. It also involves ensuring the integrity of PHI at rest, this refers to safeguarding PHI stored on your network through the use of encryption or a firewall. 
  • ID authentication is a means to identify the person(s) accessing PHI. This is accomplished with personalized login credentials. 

HIPAA Compliant Email Communications

The rules for secured emails differ based on if you’ll be sending an email through an internal email network or to an outside network. All emails that are sent externally, beyond your firewall, need to be encrypted. The free version of email services do not have sufficient tools to protect your data, as such it is necessary to upgrade to a paid version of the service. 

End-to-end Encryption (E2EE)

As part of the HIPAA Security Rule, it is required to have end-to-end encryption (E2EE) when using email to communicate PHI to third parties. E2EE ensures that only the people who are supposed to have access to the information are able to view it. E2EE is essential when using email to send and receive ePHI as electronic communications pass through a third-party server on their way to the intended recipient. 

Emails sent internally are not required to be encrypted, however, before a covered entity (CE) decides whether or not to encrypt, they need to perform a risk analysis. A risk analysis will allow a CE to assess if there is a threat to the integrity, confidentiality, or availability of ePHI if encryption is not in place.  The decision whether or not to encrypt must be documented to prove to the Office for Civil Rights (OCR) that you considered encryption, and found that it wasn’t necessary. Although encryption for internal communications is not required, it is highly recommended that you do so.

Patient Authorization Form

Before you can share a patient’s PHI via email, you must have written consent from that patient. When seeing a new patient, covered entities should include a patient authorization form for patients to sign.

Business Associate Agreements (BAAs)

Lastly, before a covered entity can transmit PHI to their business associates (BAs), they must have signed business associate agreements (BAAs) from each of their vendors. A BAA is designed to protect an organization against liability from breaches caused by a third-party. When there is no BAA in place, if one of your vendors experience an email breach, and you are sending them PHI via email, you will both be held accountable. With a signed BAA, only the vendor who experienced the breach will be held responsible. 

To learn more about how to use Gmail for HIPAA compliant email communications please download our free guide here!