Do you need HIPAA compliant email when communicating with vendors?

Although not mandatory, it is best practice to use HIPAA compliant email to communicate with vendors.

When is HIPAA compliant email required?

According to the HHS, “The Privacy Rule allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so.” However, this is only mandatory if communication protected health information (PHI). If an email contains PHI, then HIPAA requires proper safeguards, including encryption, access controls, and secure storage. Here are three key factors to consider:

Does the email contain PHI?

• If yes, a HIPAA compliant email service should be used.
• If no, standard email can be used, but security best practices should still be followed.

Is the vendor a business associate?

• If the vendor handles PHI on your behalf, they are a business associate and must sign a business associate agreement (BAA) before any PHI is shared.
• If the vendor does not handle PHI, a BAA may not be necessary, but general cybersecurity precautions should still be taken.

Does the email service meet HIPAA security standards?

• Many standard email providers are not HIPAA compliant unless they offer encryption and sign a BAA with your organization.
• HIPAA compliant email providers offer features such as encryption, secure login methods, and audit logs to track email access.

When can you use regular email?

You don’t need to use a HIPAA compliant email service if the communication doesn’t involve PHI. For example, if you’re discussing routine business matters with a vendor, such as contracts, orders, or pricing information, HIPAA compliance may not be required. However, it’s always a best practice to err on the side of caution and ensure that any sensitive information is transmitted securely.

Using Paubox

Paubox provides a seamless way to ensure HIPAA compliant email communication with vendors who handle PHI. Its seamless encryption secures emails without requiring recipients to log into portals or enter passwords, making it easy for vendors to access messages securely. If a vendor qualifies as a business associate, Paubox offers a BAA to meet HIPAA requirements. 

FAQS

What are the risks of using non-HIPAA compliant email with vendors?

Using non-HIPAA compliant email for PHI can lead to data breaches, HIPAA violations, and hefty fines. It can also compromise patient privacy and damage your organization's reputation.

What should I do if a vendor refuses to sign a BAA?

If a vendor qualifies as a business associate and refuses to sign a BAA, you should not share PHI with them. Look for alternative vendors who are willing to comply with HIPAA regulations.