HIPAA Compliant Email – What It Is And What Its Not

Small practices often have the need to send electronic Protected Health Information (ePHI) to others outside of the practice via email. Sometimes this may be communicating with the patient or a hospital. But email wasn’t designed for privacy or security. It was designed for ease of use and speed of communication. That is why practices must use HIPAA compliant email servers or services to transmit PHI outside of their practice. In this post, we will go over how to make your email safe, secure, and HIPAA compliant.

Email is not secure

Many people think of email as being private and secure. It is often thought of as sending a letter through the postal system. Letters have envelopes around them to protect them from casual readers. However, email is not like a letter. It’s a postcard.

Here is a quick background on how email works.

When you write an email in your email client like Outlook, it is first sent to your email server. From there, it is sent to the server of your recipient. Along the way, it may pass through many routers or other email servers. At each point, it can be copied and saved. Because of this, anyone at those stops would have the ability to read the content of your messages. Imagine if you had sent patient information this way. That patient’s data is now potentially copied on several locations. This would be a breach since none of those sites has a reason to access that ePHI.

OK, so how do we make email secure?

To secure email, we need to use encryption. Encryption makes the message unreadable to anyone other than the intended recipient. Email encryption has traditionally been hard to achieve because you have to be able to give the recipient a way to decrypt, or decode, your message. This meant either sending them a key or a password and this is cumbersome for larger numbers of users. Its also pretty technical, more than most people want to do.

There are two points at which email must be encrypted. The first is along the path it is being sent, or in transit. We call this data in motion. Think of your letter as it goes through postal service. The second point is when the message is stored. We call this data at rest. This is the sent email in your sent items folder and in your recipient’s inbox. The data needs to be secure there as well.

For this entire process, we call this end to end encryption.

What is HIPAA compliant email?

HIPAA compliant email is an email that is sent encrypted so that only the recipient can read the content of the message.

Under the HIPAA Security Rule, Covered Entities and Business Associates must take reasonable steps to protect the ePHI in their possession. When sending an email, this requires the use of encryption. This must be an end to end encryption.

HIPAA regulations concerning secure email can be found in the Security Rule Administrative Safeguards section.

HHS also addressed this in their FAQ. You can read this here.

One thing to keep in mind when searching for a provider of HIPAA compliant email is that there is no such thing as a certification for compliant email. Just as there is no such thing as being ‘HIPAA certified‘, there is no HIPAA certified email. 

 

What is NOT HIPAA compliant email?

Gmail, by default, is not HIPAA compliant. This is because it was not designed to be used for the transmission of ePHI. You can upgrade to Google’s G Suite service that is HIPAA compliant.

An email that you host yourself unless you have implemented end to end encryption, is not HIPAA compliant.

Virtually any email service that you use, whether it be Google, AOL, Yahoo, etc, are not compliant. If you are going to be transmitting ePHI, you must use a third party service or set up end to end encryption.

 

Have a Business Associate Agreement with your email provider

Once you are have selected a service to provide your HIPAA compliant email, make sure you get a Business Associate Agreement. This is required. Add the BAA to your HIPAA documentation so that in the event of an audit, you will have it ready.

If your selected provider doesn’t want to sign a BAA, then you need to look for a new provider. Legitimate companies that provide HIPAA compliant email services understand this and are ready to enter into business associate agreements with practices. This is a normal part of their service offering.

Training, training, training

Once you have put your secure email in place, make sure you train your staff. Staff needs to understand how to use email to send ePHI. Ensuring that they understand this so that they don’t send ePHI unencrypted is critical to your HIPAA compliance.

Before emailing any patient, you must seek permission to contact them via email. This is also something your staff would need to be trained on so that they don’t contact a patient without this express permission.

HIPAA compliant email service companies

There are a number of companies that offer HIPAA compliant email services to Covered Entities and Business Associates. We have compiled a small list for you so that you can find the right one for you. We are not recommending any of these specifically. This is a list for you to find the right fit for you.