HIPAA Email Rules: Access Controls
HIPAA compliant email requires access controls to be enabled. Access controls designate different levels of access to PHI based on a user’s job function. The HIPAA minimum necessary standard requires individuals to only have access to the PHI that they need to perform their job.
HIPAA Email Rules: Audit Logs
Audit logs track access to PHI to ensure adherence to the minimum necessary standard. Keeping an audit log determines regular PHI access patterns for each employee. This allows administrators to quickly detect when employees, or unauthorized individuals using an employee’s login information, access PHI for a purpose other than to perform their job. In essence, audit logs ensure the quick detection of both insider and external breaches.
HIPAA Email Rules: Business Associate Agreements
Business associate agreements (BAAs) are required to be signed with all of your business associates before you share PHI with them. Under HIPAA, email providers are considered business associates, and as such, you must have a signed BAA with them before using email to send or receive PHI.
A BAA is a legal document that dictates the safeguards that your business associates must have securing the PHI you share with them. A BAA also requires your business associates to be responsible for maintaining their HIPAA compliance. HIPAA compliant email providers are willing to sign a BAA. Many email providers will only sign BAAs with their paid users, as such, their free versions are not HIPAA compliant, and cannot be used in conjunction with PHI.