Paubox blog: HIPAA compliant email made easy

Features to look for in a HIPAA compliant email service provider

Written by Liyanda Tembani | April 18, 2024

The top features to look for in a HIPAA compliant email service are automatic encryption, a willingness to sign a business associate agreement (BAA), access controls, detailed audit logging and tracking, and data loss prevention (DLP) measures to prevent accidental disclosure of PHI.

 

HIPAA requirements for email communication

The HHS says, "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so."

HIPAA doesn't directly address email but has strict guidelines for communication involving PHI and according to the HHS, "The Security Rule does not expressly prohibit the use of email for sending e-PHI." They state, "The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected."

HIPAA rules require measures like encryption and access controls to protect data integrity, patient consent for electronic communication, maintenance of audit logs, and adherence to HIPAA's Privacy and Security Rules. Healthcare providers must choose email service providers that offer HIPAA compliant features.

Read more: Rules for HIPAA compliant email communications

 

What to look out for in HIPAA compliant email providers

Automatic encryption

Automatic encryption, like that provided by Paubox, eliminates human error by encrypting all outgoing emails and attachments by default, without manual intervention. 

A recent study, titled Human Factors in Electronic Health Records Cybersecurity Breach: An Exploratory Analysis, found that most data breaches in healthcare are caused by human error. The study looked at HHS breach data over five years and explored the role of the "human element" in the incidents. Their analysis "revealed that 382 incidents, or 26 percent of all human factor-based breaches, were due to an insider's carelessness, negligence, or apathy. In each of these cases, no malicious intent was visible in that there was no intent to access patient data, but a data breach occurred."

Encrypting everything by default avoids the common issues caused by human factors. 

Read more: What happens to your data when it is encrypted?

 

Business associate agreement (BAA)

BAA is a legally binding contract that clarifies each party's responsibilities for protecting PHI and is a HIPAA requirement when using any third-party service that handles PHI.

 

Access controls

Access controls restrict access to emails containing PHI and avert unauthorized disclosure of sensitive data. HIPAA compliant email services provide access control features, like multi-factor authentication, role-based access controls (RBAC), and activity logs. 

Multi-factor authentication requires users to provide multiple forms of verification, strengthening the security of email accounts. RBAC assigns specific permissions based on users' roles, ensuring only authorized individuals can access PHI. Activity logs track user interactions with PHI, enhancing transparency and accountability. 

 

Audit logging and tracking

HIPAA compliant email services maintain comprehensive audit logs that record user interactions with PHI. These logs include login activities, access attempts, and any alterations made to sensitive information. Audit logs serve as invaluable evidence of compliance efforts by providing this detailed record of activity. 

 

Data loss prevention (DLP)

Data loss prevention (DLP) features can prevent accidental or unauthorized disclosure of PHI. HIPAA compliant email services should offer DLP capabilities to scan email content for sensitive information, such as PHI, and apply rules to prevent unauthorized transmission or sharing of this data. 

Additionally, DLP features may include functionalities like policy enforcement for email forwarding and copying, quarantine capabilities for suspicious emails, and alerts for potential breaches. 

 

FAQs

Are there retention requirements for audit logs of email activity?

HIPAA requires the retention of audit logs, including those related to email activities, for at least six years. Logs should be comprehensive enough to support compliance audits and investigations.

 

Can healthcare providers use Gmail to transmit PHI unencrypted?

Gmail, Yahoo, Hotmail, and other free email clients don't sign business associate agreements. Without a BAA, even if the email is encrypted, HIPAA guidelines don't consider it in compliance. 

 

Is email forwarding HIPAA compliant?

Healthcare organizations may use email forwarding features for transmitting PHI, provided that appropriate security measures are in place to safeguard the data.

Related: The top HIPAA compliant email services