Encrypting an email is a component of achieving HIPAA compliance, but it's not the sole requirement. While email encryption helps protect the content of the message from unauthorized access during transmission, HIPAA compliance encompasses a broader set of standards and safeguards related to the privacy and security of protected health information (PHI).
Read more: What happens to your data when it is encrypted?
What is email encryption?
Email encryption is the process of encoding the content of an email message in a way that makes it unreadable to anyone except the intended recipient. This is accomplished using encryption algorithms and keys. Email encryption ensures that even if an unauthorized person intercepts the email during transmission, they cannot decipher the information. That ensures HIPAA compliant email communication.
HIPAA compliance and email
While email encryption protects all content in emails, HIPAA is designed to ensure the privacy and security of PHI. The HHS states that "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.". That includes access controls, user authentication, training and education, consent, and business associate agreements (BAAs). When taken together, these components create a comprehensive framework for safeguarding PHI.
Related: Do emails have to be encrypted for HIPAA compliance?
The limitations of email encryption
There are limitations to relying solely on email encryption for HIPAA compliance. Email encryption primarily addresses the security of the email content during transmission. However, it does not cover all aspects of compliance.
For instance, encrypting an email does not guarantee that the email recipient is authorized to access the PHI it contains. It also doesn't address the risk of human error, such as sending an email to the wrong recipient or including PHI in the subject line.
Additionally, HIPAA compliance is not just about securing the content of email messages; it extends to secure email access, storage, and disposal practices. To be fully compliant, organizations must have policies and procedures determining how email accounts are accessed, who has access, and how PHI is handled at every stage of its lifecycle. Organizations must have policies and procedures determining how email accounts are accessed, who has access, and how PHI is handled at every stage of its lifecycle to be fully compliant.
Recommended practices for HIPAA compliant email communication
- Implementing strong access controls to limit access to email accounts containing PHI.
- Requiring strong passwords and, ideally, two-factor authentication for user authentication.
- Providing training and education to staff on the proper handling of PHI in email communications.
- Obtaining proper consent and authorization from patients before sending PHI via email.
- Establishing BAAs with third-party email service providers.
Related: HIPAA compliance for email in 3 easy steps
FAQs
Can personal email accounts be used for sending PHI under HIPAA?
Personal email accounts should not be used for sending PHI. Only secure, HIPAA compliant email systems should be used to ensure appropriate safeguards are in place.
What is a BAA and why is it important for HIPAA compliance?
A BAA is a contract between a HIPAA covered entity and a third-party service provider that ensures the service provider will appropriately safeguard PHI. It ensures that any third-party email service providers comply with HIPAA regulations.
What role does patient consent play in HIPAA-compliant email communication?
Obtaining explicit consent before sending PHI via email ensures that patients are informed about the risks of email communication and provide their authorization.
Liyanda Tembani
