HIPAA Email Rules: HIPAA Compliant Email

HIPAA Email Rules: HIPAA Compliant Email

Using an email platform that is HIPAA compliant is an essential part of ensuring patient information is securely communicated. HIPAA email rules dictate whether or not an email provider is HIPAA compliant. To provide guidance on what you should look for from your email provider, HIPAA compliant email is discussed below.

HIPAA Email Rules: Encryption

HIPAA compliant email must utilize encryption when email is being sent externally, and contains protected health information (PHI). You do not need to encrypt emails that are sent within your organization, provided you use a secure server that is not shared with external entities. Encryption masks sensitive data so that it can only be read by users possessing a decryption key. End-to-end encryption (E2EE) is particularly important for secure email transmission as it encrypts emails at rest and in transit. This means that an email in your inbox, and an email that you send, are equally secure.

However, even when your email provider uses E2EE, PHI should never be contained in the subject line of an email. This is because subject lines cannot be encrypted, and therefore, when providers put PHI in an email subject line, they risk the PHI being viewed by an unauthorized individual.

HIPAA Email Rules: User Authentication

User authentication ensures that users are who they appear to be. When using email to communicate PHI, it is important to ensure that emails are not accessed by an unintended user. Email providers that offer two factor authentication decrease the likelihood of unauthorized email access. Two factor authentication requires users to input multiple unique login credentials to gain access to an email account. This can be a username and password in combination with security questions, a one-time PIN sent to a user’s phone, etc.

Let’s Simplify Compliance

Do you need help with HIPAA email compliance? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

HIPAA Email Rules: Access Controls

HIPAA compliant email requires access controls to be enabled. Access controls designate different levels of access to PHI based on a user’s job function. The HIPAA minimum necessary standard requires individuals to only have access to the PHI that they need to perform their job. 

HIPAA Email Rules: Audit Logs

Audit logs track access to PHI to ensure adherence to the minimum necessary standard. Keeping an audit log determines regular PHI access patterns for each employee. This allows administrators to quickly detect when employees, or unauthorized individuals using an employee’s login information, access PHI for a purpose other than to perform their job. In essence, audit logs ensure the quick detection of both insider and external breaches.

HIPAA Email Rules: Business Associate Agreements

Business associate agreements (BAAs) are required to be signed with all of your business associates before you share PHI with them. Under HIPAA, email providers are considered business associates, and as such, you must have a signed BAA with them before using email to send or receive PHI. 

A BAA is a legal document that dictates the safeguards that your business associates must have securing the PHI you share with them. A BAA also requires your business associates to be responsible for maintaining their HIPAA compliance. HIPAA compliant email providers are willing to sign a BAA. Many email providers will only sign BAAs with their paid users, as such, their free versions are not HIPAA compliant, and cannot be used in conjunction with PHI. 

HIPAA Compliant Email: Risks and Best Practices