How To Send HIPAA Compliant Email

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) set the standard for healthcare providers in protecting sensitive patient data. Any organization that handles protected health information (PHI) must adhere to all applicable physical, network, and process security measures. HIPAA-compliant email solutions and all aspects of email security fall under this category. But HIPAA compliance for email communications (email accounts and email services) is often viewed as a baffling subject matter.

Organizations subject to HIPAA include covered entities (any company that provides treatment, medical practices, payment, or healthcare operations) and business associates (any company with access to PHI that provides support for covered entities). Even subcontractors (i.e. business associates of business associates) must comply with HIPAA secure communications rule. These organizations and entities have to overcome all compliance challenges that may come their way, in order not to breach HIPAA rules.

What is HIPAA compliant email?

In 2000 the HIPAA Privacy Rule created for the first time a set of national standards for safeguarding certain health information. It allows covered entities to disclose PHI to a business associate if it receives assurances that the business associate will use the information only within the scope in which it was engaged by the covered entity.

The HIPAA Security Rule was added in 2003 to set out what safeguards must be in place to protect electronic PHI (ePHI), which is health information that is held or transferred in electronic form.

In regards to email, covered entities are required to take reasonable steps to protect ePHI as it’s transmitted electronically to the recipient’s inbox.

Once the email reaches the recipient, the obligation of the sender ends, and it becomes the recipient’s job to secure any PHI they have in their inbox.

If you are using a third party to transmit or host ePHI, the company is required by law to sign a business associate agreement (BAA) with you. A BAA establishes that certain administrative, physical, and technical safeguards are in place to protect patient data.

While no certification makes an email provider HIPAA compliant, meeting the requirements set by the HIPAA Privacy & Security Rules is the best place to start, along with ensuring strong technical security measures to make sure ePHI is protected inbox to inbox.

 Does HIPAA require email encryption?

The terms “required” and “addressable” are used to describe HIPAA encryption requirements. Encryption protocols labeled as mandatory must be implemented if you want to remain in compliance with HIPAA. If a risk assessment determines that encryption is necessary to protect ePHI, addressable encryption protocols must be implemented.

This decision should be documented and an equivalent solution implemented to protect ePHI if your organization decides encryption is not necessary. Because there is no suitable alternative to encryption for protecting ePHI in an email, it is effectively necessary. Your patients’ information and your organization could be at risk if you don’t encrypt your emails.

There are a few things to keep in mind to ensure that your email is HIPAA-compliant:

Ensure you have email encryption (end-to-end encryption) for email

Email is a quick and easy way to communicate electronically for healthcare organizations, but it does not necessarily ensure security nor usually have extra security and compliant technology solutions. Even services that encrypt messages in transit may not have the required level of security to make them HIPAA compliant. To make your email is HIPAA compliant and ensure cloud-based email security, you should ensure you have end-to-end encryption, which encrypts both messages in transit and stored messages. Access controls are used to ensure only the intended recipient and the sender can access the messages.

Some email service providers require individual emails to be encrypted by clicking a button or using a portal. Since it is easy to forget to turn on encryption and accidentally send an unencrypted email, it is a better choice to encrypt all emails, not only those that contain ePHI. This will reduce the potential for human error.

The type of encryption used is also important. While previously Data Encryption Standard (DES) was considered secure, that is no longer the case. You should consult NIST for advice on suitable encryption standards. Currently, AES 128, 192, or AES 256-bit encryption is recommended.

For many HIPAA-covered entities, especially smaller healthcare providers that do not have in-house IT staff to ensure their email is HIPAA-compliant, the use of a third-party HIPAA-compliant email service provider is strongly recommended.

Research potential HIPAA-compliant email service providers to ensure that they provide a service that is suitable for your requirements. A search on Google will produce several potential service providers.

Enter into a HIPAA-compliant business associate agreement with your email provider

In your compliance effort, before using a third-party email service to send ePHI, you should obtain a business associate agreement. As outlined in the business associate agreement, the service provider is responsible for ensuring ePHI’s confidentiality, integrity, and availability through the use of administrative, physical, and technical safeguards.

You should look for an alternative option if an email service provider or compliant email vendor refuses to sign a business associate agreement as one of the business requirements. To work with HIPAA-covered entities and their business associates, an email service provider should be willing to sign a BAA.

Ensure your email is configured correctly

It is possible to violate HIPAA rules even if a BAA is obtained because of the risks of email. It is not enough to use a BAA-protected email service to ensure that your email is HIPAA compliant, you must ensure that your email is configured correctly and take appropriate compliance security measures.

Develop policies on the use of email and train your staff

Training your staff on the proper use of email concerning ePHI and compliance with regulations is essential after you have implemented your HIPAA-compliant email service. Health care workers, in the busy healthcare environment, have been responsible for several data breaches, including the unintentional transmission of ePHI via email without encryption and the transmission of ePHI to individuals who were not authorized to see the data. Employees must be aware of their HIPAA obligations and trained on how to use the email service to comply with the law.

Ensure all emails are retained

Because email retention is not specifically mentioned in HIPAA legislation, HIPAA’s rules on email retention are a little unclear. Covered entities should maintain an email archive, or at least ensure that emails are backed up and stored because individuals can request information on disclosures of protected health information and email communications may be required when legal action is taken against a healthcare organization. Emails may also be required to be kept for a set period of time under state law. Because of this, you should check the laws governing email in the states where you do business. Consult a lawyer if you’re unsure about anything.

HIPAA requires covered entities to keep documentation related to their compliance efforts for six years, and the retention period for security-related emails and emails relating to privacy policy changes should be six years.

Storage space is required even for small and medium-sized healthcare organizations to store 6 years of emails, including attachments. When it comes time to back up your emails, consider using a secure, encrypted email archive instead. Additionally, since an email archive is indexed, searching for emails in an archive is a quick and easy process. Emails can be quickly and easily retrieved if they are needed for legal discovery or a compliance audit.

To be classified as a business associate under HIPAA, any email archiving service provider will be subject to the same regulations as email service providers. It would be necessary to sign a BAA with that service provider and obtain reasonable assurances that they will abide by HIPAA rules.

Obtain consent from patients before communicating with them via email

HIPAA-covered entities need to remember that even if a HIPAA-compliant email provider is used, the patient’s written consent must be obtained before any ePHI is sent via email, no matter how convenient it may be. Patients should be made aware of the potential dangers of sending confidential information via email. Emails containing electronic health information (ePHI) can be sent if the sender is willing to accept the risks.

Partner with Wheelhouse IT 

You may believe that you can meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) on your own, and you may be right. A HIPAA-verified Managed Service Provider (MSP) makes it much easier to achieve HIPAA compliance than if you were to do it on your own.

To keep your organization and in-house IT department HIPAA compliant, you can rely on Wheelhouse IT. Some of the benefits of working with us include:

• Conducting HIPAA security risk assessments
• Encrypting all PHI and stored data
• Implementing backup and disaster recovery plans to keep data secure
• Identifying system vulnerabilities and providing high-quality solutions
• Providing the necessary technology to ensure data security
• Providing services such as Remote Monitoring Management (RMM), cloud-to-cloud backup, and authentication and access management 

If you are looking for the assistance of an MSP for your HIPAA compliance needs, call the team at Wheelhouse IT today!