Paubox blog: HIPAA compliant email made easy

Does HIPAA apply to incoming emails?

Written by Liyanda Tembani | June 27, 2023

While HIPAA does not explicitly address email communication, it applies to electronic communication, including incoming emails. As covered entities and business associates receive emails containing PHI, they must understand how HIPAA regulations apply in this context.

 

Is the recipient liable for encrypting inbound emails?

No. The recipient of an email containing PHI is not liable for encrypting the incoming email. However, if the recipient is a covered entity, they must store the email in a HIPAA compliant manner.

 

HIPAA and protected health information

HIPAA defines protected health information (PHI) as individually identifiable health information created, received, maintained, or transmitted by covered entities or business associates. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Business associates are individuals or organizations that handle PHI on behalf of covered entities. The HIPAA security rule requires the implementation of appropriate safeguards to ensure the confidentiality, integrity, and availability of PHI. 

 

HIPAA compliance requirements for incoming emails

To determine the applicability of HIPAA to emails, you must identify whether the email contains PHI. If an incoming email contains PHI, HIPAA regulations come into play only once received. Covered entities and business associates have specific security and privacy requirements to follow, including implementing safeguards to protect PHI. They must implement administrative, physical, and technical safeguards to ensure HIPAA compliant storage of the email's contents. 

Note: Even individuals or organizations unintentionally receiving emails with PHI must handle the information appropriately. They should recognize the sensitive nature of the data and take reasonable measures to protect its confidentiality and privacy.

When forwarding emails containing PHI, both the sender and recipient must adhere to HIPAA requirements to ensure continued compliance. Additionally, when covered entities or business associates use personal email accounts to receive emails with PHI, they are still subject to HIPAA requirements. 

 

Best practices for HIPAA compliance in handling incoming emails

  1. Implement secure email systems: Use email services that support encryption and data protection to ensure the confidentiality and integrity of PHI during transmission.
  2. Encryption protocols: Use transport layer security (TLS) or other encryption protocols to secure email communication channels.
  3. Strong password practices: Enforce strong password policies, including complex passwords managed by secure password managers, as per NIST guidelines.
  4. Regular updates: Keep security software and systems up to date to address vulnerabilities and protect against emerging threats.
  5. Email attachment encryption: Encrypt email attachments containing PHI to add an extra layer of protection to sensitive information.
  6. Staff training and awareness: Conduct ongoing training programs to educate employees about HIPAA requirements, the proper handling of PHI in emails, and the importance of privacy and security.
  7. Incident response procedures: Establish incident reporting and response procedures to ensure a timely and effective response to potential breaches or security incidents.

 

Consequences of non-compliance

Non-compliance with HIPAA regulations can have severe consequences. Violations may lead to significant penalties and fines, depending on the nature and extent of the violation. Reputational damage and loss of patient trust can result from breaches of patient privacy, impacting the credibility and standing of covered entities and business associates. Non-compliance may also lead to legal implications and liability risks, including lawsuits and legal actions from affected individuals.

While HIPAA does not explicitly mention email, it applies to all electronic communication, including incoming emails. You must understand how it applies to incoming emails to maintain compliance and protect patient privacy. Covered entities and business associates must identify PHI in incoming emails and implement appropriate security measures. 

 Related: HIPAA compliant email: the definitive guide