A guide to creating HIPAA compliant email policies

Email is a widely used communication tool in healthcare, facilitating quick and efficient exchange of information among healthcare providers, patients, and administrative staff. HIPAA compliant email policies ensure that email communications involving protected health information (PHI) are secure, encrypted, and accessible only to authorized individuals. By following best practices, healthcare organizations can protect patient privacy, maintain trust, and avoid legal penalties.

Understanding HIPAA and email communication

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, insurance companies, and other covered entities to implement appropriate safeguards to ensure the confidentiality, integrity, and availability of PHI. For email, these safeguards include everything from encryption and access control to employee training and incident response.

See also: HIPAA Compliant Email: The Definitive Guide

Why email security matters

Email is inherently vulnerable to cyberattacks, including phishing, man-in-the-middle attacks, and unauthorized access. It was reported that 80-95% of cyberattacks begin with a phishing attack, and man-in-the-middle attacks, where a malicious actor intercepts communications, have increased by 35% from 2022 to 2023.

Given the sensitive nature of PHI, a breach could lead to identity theft, fraud, and other malicious activities, making it crucial to establish email policies that align with HIPAA requirements.

Read also: Is email an increasing target for cyberattacks?

Considerations for HIPAA compliant email policy

Encryption

• Data in transit: All emails containing protected health information (PHI) must be encrypted during transmission.
• Data at rest: If PHI is stored in email, it must also be encrypted while at rest on servers or devices.

Access control

• Authentication: Implement strong authentication mechanisms to ensure that only authorized personnel can access email accounts containing PHI.
• Role-based access: Limit access to PHI in emails based on roles to minimize exposure.

Audit controls

• Logging and monitoring: Keep logs of email access and transmissions, and regularly monitor them for unauthorized access or anomalies.

Transmission security

• Secure channels: Use secure email services or communication channels when sending PHI.
• Avoid unsecured networks: Employees should avoid using public Wi-Fi or unsecured networks to send emails containing PHI.

Training and awareness

• Employee training: Regularly train employees on HIPAA regulations, secure email practices, and the importance of protecting PHI.
• Phishing awareness: Educate employees on recognizing phishing attempts that could compromise email security.

See also: Why people still fall for phishing attacks in 2024

PHI minimization

• Limit PHI in emails: Only include the minimum necessary information when emailing PHI.
• Redact when possible: Redact sensitive information from emails whenever possible.

Backup and retention

• Email retention policy: Implement and enforce an email retention policy that complies with HIPAA's data retention requirements.
• Regular backups: Ensure email data is regularly backed up and stored securely.

Business associate agreements (BAAs)

• Service providers: Ensure that all email service providers and other third-party vendors handling PHI sign a BAA that outlines their responsibilities in safeguarding the information.

Incident response plan

• Breach notification: Have a clear plan for responding to breaches, including timely notifications to affected individuals and the Department of Health and Human Services (HHS) if necessary.

Learn more: What are the HIPAA breach notification requirements

Use of secure email platforms

• HIPAA compliant services: Use email platforms specifically designed to be HIPAA compliant, offering features like automatic encryption, secure login, and audit trails.

Go deeper: Top 12 HIPAA compliant email services

FAQs

Can I use any email service for sending PHI, as long as I encrypt the emails?

Not all email services are suitable for sending PHI, even with encryption. The email service provider must be HIPAA compliant and willing to sign a BAA, which outlines their responsibilities in safeguarding PHI. It's important to choose a service that specifically offers HIPAA compliant features.

Can personal email accounts be used for sending PHI?

Personal email accounts should not include PHI. Personal email accounts typically lack the necessary security measures, such as encryption and access controls, required by HIPAA. Using personal accounts also increases the risk of PHI being exposed or accessed by unauthorized individuals.

Read more: Why personal email accounts are not HIPAA compliant

Are emails within an organization subject to HIPAA compliance?

Internal emails within a healthcare organization that contain PHI are subject to HIPAA compliance. Even though the communication is internal, the same rules regarding encryption, access control, and secure storage apply to protect the PHI from unauthorized access.

Go deeper: Can you email PHI internally?