Are all emails HIPAA compliant?

Not all emails are HIPAA compliant. HIPAA compliance depends on the email's content and the sender and recipient's security measures to protect protected health information (PHI).

The role of email in healthcare communication

In healthcare, emails may contain a wide range of information. They can be used for appointment scheduling, sharing lab results, consulting with specialists, and addressing patient queries and concerns. However, when emails contain PHI, the stakes are significantly raised.

What makes an email HIPAA compliant?

According to the HHS, "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.". Specific measures must be implemented to ensure HIPAA compliant email communication. These measures include:

• Encryption: Emails containing PHI must be encrypted during transmission and at rest. In transit, encryption scrambles the content so that it can only be deciphered by authorized users. Encryption at rest means that data is protected on the email server, guarding against unauthorized access in storage.
• Access controls: These controls are designed to limit access to emails with PHI. Only authorized personnel with a legitimate reason to access the information should be able to do so. Access controls ensure the confidentiality of patient data.
• User authentication: Authentication mechanisms, which include unique usernames and strong passwords, help ensure that only authorized individuals have access to the email system. This layer of security can prevent unauthorized access to PHI.
• Audit trails: Maintaining detailed logs of email activities, including who accessed, sent, or received emails with PHI and when these activities occurred, is a HIPAA requirement. These logs provide a historical record of the email system's usage, aiding compliance and identifying potential security incidents.
• Business associate agreements (BAAs): When using third-party email service providers, BAAs help ensure that these service providers also comply with HIPAA regulations and take responsibility for safeguarding PHI.

When are emails not HIPAA compliant? 

Email is the second most common breach location, affecting 108,199 individuals. Noncompliance with HIPAA regulations can result from various scenarios and practices, including:

• Lack of encryption
• Inadequate access controls
• The absence of audit trails
• Use of unsecured email platforms
• Failure to sign BAAs
• Untrained staff
• Sending emails without patient consent
• Improper data retention and disposal
• Failure to conduct risk assessments
• Absence of an incident response plan

Sending emails containing PHI requires the patient's consent. They must be informed about the risks. Patients have the right to know how their PHI will be transmitted and must agree to electronic communication methods.

Related: How to obtain patient consent for email communication

The responsibility to ensure HIPAA compliant email

Ultimately, ensuring HIPAA compliance for email communication falls on the shoulders of covered entities and their business associates. Neglecting these responsibilities can have severe legal and reputational consequences. Thus, organizations must make a dedicated effort to achieve and maintain HIPAA compliance when communicating via email.

Related: What are the penalties for HIPAA violations?

Do you need inbound security to be HIPAA compliant?

HIPAA compliance doesn't require specific inbound email security. However, HIPAA emphasizes safeguarding PHI during outbound email transmission, primarily through encryption. While inbound security isn't mandatory for compliance, it is a wise addition to protect against cyber threats.

FAQs

What should you do if you accidentally send an email with PHI to the wrong recipient?

Immediately notify your IT department and the recipient of the mistake. Document the incident and take corrective actions, such as assessing potential data exposure and reviewing your security practices.

Can personal email accounts be used for HIPAA compliant communication?

No, personal email accounts generally do not meet HIPAA security requirements. They lack the necessary encryption, access controls, and audit trails, making them unsuitable for handling PHI.

Can using an email alias or generic email address improve HIPAA compliance?

While using an email alias or generic address can help obscure individual identities, it does not inherently ensure HIPAA compliance. Full compliance requires encryption, access controls, and proper handling of PHI regardless of the email address used.