Last updated: 20 March 2024
Welcome to the definitive guide on HIPAA compliant email.
This guide will provide you with a thorough understanding of the requirements for HIPAA compliant email and the steps you can take to ensure your organization is in compliance.
We will cover a range of topics, including how to send a HIPAA compliant email, what to look for in a HIPAA compliant email solution, email encryption methods, HIPAA violations and fines, and an FAQ section you won’t find anywhere else.
This guide is intended for healthcare professionals, IT staff, and anyone else responsible for maintaining or acquiring a HIPAA compliant email solution.
Table of contents
- When does an email need to be HIPAA compliant?
- HIPAA compliance and email
- What makes email HIPAA compliant?
- What to look for in a HIPAA compliant email solution
- How to send HIPAA compliant emails
- HIPAA compliant email checklist
- HIPAA violations and fines
- Email encryption methods
- Frequently Asked Questions
When does an email need to be HIPAA compliant?
An email must be HIPAA compliant when it contains protected health information (PHI) and is sent by a HIPAA-covered entity.
Let's go a bit deeper into what this means.
HIPAA stands for the Health Insurance Portability and Accountability Act. It's a federal law that helps keep your medical information safe and private when shared with doctors, hospitals, and health insurance companies.
This medical information is known as protected health information, or PHI. We'll discuss PHI in more detail shortly.
Two types of entities must follow HIPAA regulations: covered entities and their business associates.
If you're a healthcare provider, a health plan, or a healthcare clearinghouse, you're a covered entity. A business associate is someone who provides services to covered entities. If you're not 100% certain whether HIPAA applies to you, follow this step-by-step guide.
If you handle protected health information (or PHI), you must be HIPAA compliant, and any email sent by a covered entity or a business associate that contains PHI must be HIPAA compliant. No exceptions.
Go deeper:
HIPAA compliance and email
To ensure HIPAA compliance when using email, you must use secure email solutions that encrypt messages and attachments in transit and at rest.
It’s now common practice to use an email service provider like Google Workspace or Microsoft 365 to host your organization’s email while using a separate company to provide additional protection, such as email encryption, security, data loss prevention, and backups.
Go deeper: Why Google Workspace and Microsoft 365 aren't enough for complete HIPAA compliance
What kinds of emails need to be HIPAA compliant?
When daily emails number in the hundreds or even thousands, mistakes will always happen, so the safest way to avoid both stress and HIPAA violations is to encrypt everything automatically. As we discuss the typical email interactions, remember that there are two ways to avoid HIPAA violations:
- Encrypt everything
- Rely on staff to manually encrypt emails that may contain PHI.
The latter option is risky.
Three main classes of typical, day-to-day email interactions must be HIPAA compliant:
- provider to patient
- provider to provider
- provider to insurance carrier
Not every email includes PHI and may not technically need to be encrypted, but it's for that reason that encryption-by-default offers is the way to go for peace of mind.
Provider to patient:
These emails include answering patient/customer questions, appointment reminders, test results notifications, and billing emails.
Provider to provider:
Providers transmit PHI to other providers when making referrals and sending lab test results, case discussions, prescription and medication information, patient discharge information, etc. Email is the most convenient way to communicate this information, but often, providers use fax or portals to remain compliant. HIPAA compliant email makes provider-to-provider communication much easier.
Provider to insurance carrier:
A significant portion of healthcare email communication involves the exchange of emails containing PHI for processes like claim submission and claim status inquiries. When submitting claims, healthcare providers typically send detailed emails that include patient identifiers, diagnostic codes, treatment details, and billing information. These emails initiate the reimbursement process for services rendered. The PHI in these emails is sensitive and extensive, providing a comprehensive view of a patient's medical encounter, including the services provided, the rationale for these services, and the associated costs.
Claim status inquiries are critical follow-ups in the billing cycle. They track the progress of claims processing, identify any issues or delays, and ensure timely payment. Healthcare providers often email insurance carriers to inquire about the status of submitted claims. These emails contain PHI, such as patient names, dates of service, and claim numbers.
Both claim submission and claim status inquiry emails must be sent securely to ensure HIPAA compliance.
What makes email HIPAA compliant?
First, make sure patients have given permission to communicate with you by email. Include this authorization in your Notice of Privacy Practices.
Use a HIPAA compliant email service, like Paubox, that encrypts email messages and attachments in transit and at rest.
Always make absolutely sure you've signed a business associate agreement (BAA), with the email service. Without that BAA, it's not HIPAA compliant.
A business associate agreement, as mentioned above, is a contract between a HIPAA-covered entity and a vendor with access to PHI. It ensures that the email service will protect this information in compliance with HIPAA regulations.
There are a few other things to keep in mind.
- Don't delete emails. It's recommended to retain electronic PHI for at least six years.
- Have access controls. Ensure the people who should have access to emails are the only ones with access.
- Set up policies and procedures. All employees must know their responsibilities regarding handling and transmitting PHI via email.
- Train your staff on secure email best practices.
What to look for in a HIPAA compliant email solution
Some encrypted email solutions are difficult to set up and require special steps whenever sending an encrypted email. Go with the straightforward option every time.
Also, make sure it's easy for your patients. Your HIPAA compliant email service should not require patients to jump through hops like logging into a portal. Patients don't like logging in to portals to read emails. Emails sent through Paubox are opened right there in the inbox, like every other email.
There's no official HIPAA certification. Having HITRUST CSF certification means that a company has taken extensive measures to ensure the security of sensitive data. Working with HITRUST-certified vendors can lower insurance premiums and minimize legal liability.
We obviously recommend Paubox for HIPAA compliant email, but here are some other questions to ask before making your decision.
- Is it easy to set up and easy to use for you and your staff?
- Can your recipients view the email in their inbox without the need for portals or extra steps?
- Is email encrypted in transit?
- Is email encrypted at rest?
- Is every email encrypted by default?
- Will each vendor that processes or handles PHI in email sign a business associate agreement with your organization?
- As a best practice, is the HIPAA compliant email solution HITRUST CSF certified?
How to evaluate a HIPAA compliant email solution
Before signing up with an encrypted email solution, review the below points.
- HIPAA compliance: Is the company HIPAA compliant? Does it focus on healthcare specifically?
- Usability/integration: How easy is integrating the service into existing platforms? Is it easy for providers and administrators to use?
- Customer service: What avenues do customers have when they need help?
- Encryption system: Does the service encrypt emails or use portals? Does encryption need to be done manually, or is it automatic?
- Reviews: What are the reviews of the service? How is it rated?
- Breaches: Has the company ever experienced a data breach?
- Pricing structure: How does the company price its service? What is included in the various tiers?
What's next: Top 10 HIPAA compliant email services
How to send HIPAA compliant emails
To start, you'll need a Google Workspace or Microsoft 365 account.
Next, sign a business associate agreement with Google or Microsoft, whichever one you use. This ensures your emails are encrypted at rest. However, it's not actually enough to ensure complete HIPAA compliance when sending emails.
Then, use a secure HIPAA compliant email service, like Paubox, that ensures every email sent is encrypted by default. Paubox works with Google and Microsoft to ensure 100% HIPAA compliance. You just send the emails from your Google or Microsoft account, and Paubox handles the encryption automatically, and your recipients open the email in their inbox. No portals or extra passwords needed.
This all takes about 15 minutes to set up once, and then every email is encrypted and HIPAA compliant by default.
Regardless of which email service you use, make sure you're following these four steps:
- Secure patient information in transit and at rest: To ensure HIPAA compliance when sending email, use secure email solutions that encrypt messages and attachments in transit and at rest.
- Enter into a Business associate agreement: Even if your emails are encrypted, you still need a signed BAA with your email service to comply with HIPAA regulations.
- Set up policies and procedures: An internal policy for HIPAA compliant email ensures all employees know their responsibilities regarding handling and transmitting PHI electronically.
- Train your staff on secure email best practices: In addition to having policies around HIPAA compliant email, healthcare organizations should train employees on these policies and procedures.
Read more: How to send HIPAA compliant emails
HIPAA compliant email checklist
We've created a HIPAA compliant email checklist. The high-level steps are listed below, but within these, there are a few more tasks to check off in order to be in compliance. These sub-tasks are listed in our free PDF download.
- Determine HIPAA applicability and scope
- Select an email service provider
- Develop access control policies
- Establish email usage policies
- Document compliance measures
- Train staff regularly
- Conduct regular risk assessments
- Implement an incident response plan
- Review and Update Policies
- Additional document Compliance Measures
- Inbound email security
It's less complicated than it might appear at first, and using a HIPAA compliant email service will help you through steps like setting up DKIM and SPF records to ensure secure email delivery.
HIPAA violations and fines
Keeping your email communication HIPAA compliant isn't a choice - it's required by law.
The penalties for a HIPAA violation can be severe. Both civil and criminal penalties can be enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.
In general, breaches that fall under reasonable cause range from $100 to $50,000 per breach. Willful neglect cases range from $10,000 to $50,000 and often result in criminal charges being brought against the people involved.
This chart shows how civil penalties can reach a maximum of $1.5 million per violation:
Criminal penalties can also be applied when HIPAA violations are knowingly committed, with increases in the fine per violation and imprisonment.
Criminal penalties are divided into three tiers:
Read more: The complete guide to HIPAA violations
Paubox HIPAA Breach Reports
The Paubox HIPAA Breach Report analyzes protected health information (PHI) breaches affecting 500 or more people as reported to the Department of Health & Human Services (HHS).
Paubox has been compiling a monthly HIPAA Breach report since June 2017. Since that time, the data clearly shows email breaches are statistically the most likely entry point for an organization to suffer a HIPAA breach.
Looking back at last year's breaches, we found some interesting statistics:
- There were 733 breaches in 2023.
- Healthcare providers experienced 62.3% of breaches in 2023.
- Business associates experienced 23.4% of breaches in 2023.
- Email was involved in 18% of breaches in 2023.
- "Email" was a common keyword, appearing in 147 resolved cases, suggesting email-related vulnerabilities play a substantial role in these breaches.
- "Phishing" was notably mentioned in 101 resolved cases, highlighting its prominence as an email-based security threat.
- Phishing was involved in 75% of cases where the Location of Breached Information was Email in 2023.
These statistics show that HIPAA compliance isn't only about ensuring the secure transmission of PHI in email. It also requires inbound email security measures. Cybercriminals target healthcare organizations specifically to obtain protected health information (PHI) and personally identifiable information (PII).
According to a report from IBM Security, the healthcare industry is the most targeted for cyberattacks, with 74% of healthcare organizations reporting a data breach.
There are several common threats to keep an eye out for, including phishing and ransomware.
Secure email services like Paubox will offer inbound security tools like geofencing, anti-display name spoofing tools, and data loss prevention tools (DLP). However, there's no substitute for employee training, pen testing, and regular risk assessments.
Email encryption methods
There are five approaches to encrypting email:
1. Transport Layer Security (TLS). This is an encryption protocol that’s used to secure the communication channel between both email clients and email servers. When an email is sent over a modern TLS connection, the data is encrypted in transit, making it impossible for bad actors to decipher the content.
There are a few caveats with TLS when it comes to encrypting email:
- As of today, only TLS 1.2 and 1.3 are considered secure. TLS 1.0 and 1.1 are not secure. The same is true with SSL v3 and SSL v2, which are predecessors to TLS.
- If the recipient mail server is not setup to accept to TLS email via STARTTLS, the email is automatically downgraded to clear text and is sent unencrypted over the internet. This is because the email protocol (SMTP) was designed with message delivery as its highest priority. Message encryption is a lower priority with SMTP. Our deep domain expertise in email security resulted in our first patent to directly address this issue.
2. Pretty Good Privacy (PGP). This method uses public key cryptography to encrypt email messages and attachments. The sender uses the recipient’s public key to encrypt the email, and the recipient uses their private key to decrypt it.
In theory, this method ensures that only the recipient can read the email and that the content remains secure even if the email is intercepted by a third party. As we’ll see, PGP can no longer support this case.
In fact, there are considerable caveats to using PGP for encrypting email:
- Security. PGP has been criticized for having numerous security vulnerabilities in the past. For example, we cannot find any proof that EFAIL, a PGP vulnerability discovered in 2018, has been patched.
- Complexity. PGP requires users to generate and manage their own public and private keys, which can be a complex and time-consuming process for non-technical users. In addition, each recipient’s public key needs to be installed on every device used to check email.
- Lack of Integration. PGP requires additional software and plugins to be installed in order to work with most email clients, which is a barrier to adoption.
- Ease of use. PGP is not as user-friendly as some other encryption methods, which makes it far less adopted.
Go deeper: What does seamless encryption mean? Hint: It’s not PGP
3. Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME is a standard for public key encryption and signing of MIME data, which includes email attachments.
S/MIME requires both the sender and the recipient to have a digital certificate, which is used to encrypt and sign the message. The problem with S/MIME encryption is the same with PGP, it can longer support the claim it’s secure.
As with PGP, S/MIME has legitimate caveats when it comes to encrypting email:
- Security. S/MIME also shares criticisms for having its share of security vulnerabilities. For example, EFAIL also affects S/MIME and there isn’t any documentation it’s been patched for S/MIME either.
- Complexity and ease of use. As with PGP, S/MIME is difficult to setup and use. This is especially true in larger organizations. This is precisely why most of us cannot remember the last (or first) time we’ve received an S/MIME encrypted email.
Go deeper: What is S/MIME and why isn’t it the best form of email encryption?
4. Portals. About 15 years ago, when email security vendors noticed that PGP and S/MIME were not being adopted, the concept of an email portal became vogue. If you’ve ever been forced to use one, you’ll know it was not designed with user experience in mind.
Here’s the thinking behind an email portal:
- If the protocol that governs email, SMTP, sends email unencrypted over the internet if either the sender or the recipient do not support encryption, then it cannot be relied on for enforcing encryption. Therefore, why not use a different protocol, HTTPS, and force users to go to a web page to view email? After all, it’s simple to automatically redirect non-encrypted webpages (HTTP) to encrypted ones (HTTPS).
The problems with this approach are obvious:
- Friction. The portal-based approach used by Microsoft 365 involves seven steps. Proofpoint’s encrypted email solution has six steps. That’s a lot of friction just to read a single secure email.
- User experience. At least 70% of email is now read from smartphones. Being forced to use a multi-step portal from a smartphone is widely agreed to be a terrible user experience. High friction and bad user experience are the driving factors behind why portals have low adoption in the market.
- Backups and eDiscovery. As we see in the case of the Iowa Department of Human Services, it lost 432,000 emails when switching away from a portal and app-based vendor (Virtru). This is due to the fact the emails were stored in their portal and not in the mailboxes of the Iowa DHS staff. When it came time for their staff to respond to eDiscovery requests, they ironically discovered they could not, as the encrypted email was unavailable. It was stashed away in a remote location in an unreadable format.
5. Apps. Then about 10 years ago, when email security vendors took note of the low adoption of email portals, the leading thought was to build a smartphone app to handle email encryption.
Unfortunately, the same problems introduced by portals carried over:
- Friction. In order to read an encrypted email from an app, you of course need to download the app, register for an account, and learn how to use it. Since there isn’t a de facto app for secure email, this means installing half a dozen or more apps. The logical thought process is, why? It’s easy to see why there’s too much friction with this approach.
- User experience. If a majority of email is now read from smartphones, that doesn’t mean all of it is. By optimizing for one use case by building an app, the other use case (desktops) have been left out. In some industries like healthcare, a majority staff tend to use desktops for email. How exactly are you supposed to read an encrypted email sent from app, on an email client on your desktop? The answer is… portal. Not a great user experience here either.
- Backups and eDiscovery. The problem with access to email archives and data is the same here as it is with portals. It’s a glaring problem. For example, Virtru also has an app. This did not however, prevent Iowa DHS from running into legal jeopardy (not to mention bad press) for their missing emails.
Frequently Asked Questions
Here are some frequently asked questions about HIPAA compliant email.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was enacted in 1996. It sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
The law applies to health plans, healthcare clearinghouses, and certain healthcare providers that conduct certain financial and administrative transactions electronically, such as billing and claims submissions.
HIPAA includes two main rules: the Privacy Rule and the Security Rule. The Privacy Rule establishes national standards for protecting the privacy of PHI. It specifies how PHI can be used and disclosed and gives individuals certain rights with respect to their PHI.
The Security Rule establishes national standards for protecting the security of electronic PHI. It specifies administrative, physical, and technical safeguards that covered entities must implement to secure ePHI.
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.
Watch: What is HIPAA
What is protected health information (PHI)?
Protected health information needs to be protected in all mediums: electronic, paper, and oral. PHI isn’t just confined to medical records and test results. In fact, any information that can identify a patient and is used or disclosed during the course of care is considered PHI. Even if the information by itself doesn’t reveal a patient’s medical history, it is still considered PHI.
A related term is ePHI, which stands for electronic protected health information. The terms can be used interchangeably when referring to HIPAA compliant email.
Go deeper:
Who does HIPAA apply to?
HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
What is a business associate agreement?
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.
When working with an email platform or any 3rd-party software that might handle PHI, HIPAA requires a business associate agreement outlining the responsibilties, obligations and scope in complying with HIPAA's regulations.
At a minimum, a BAA must include ten provisions.
Is patient authorization needed to send PHI in email?
No. HIPAA's Privacy Rule allows healthcare providers to communicate with patients regarding their health and treatment as part of the healthcare provider's normal business practices. This can include sending emails containing PHI, provided that reasonable safeguards are in place to protect the information.
Providers still often obtain consent or acknowledge patient preferences about receiving communications via email at the start of their relationship, usually alongside a Notice of Privacy Practices.
Patients are informed about the risks associated with email communication and consent to receive health information through this medium.
For communication outside of standard treatment, payment, or healthcare operations like psychotherapy notes or marketing communications, explicit patient authorization is required under HIPAA before sending such information via email.
What makes authorization HIPAA compliant?
If sending emails with PHI that are not part of normal business practices, like marketing emails, you'll need explicit patient authorization. To be HIPAA compliant, the authorization must include:
- Clear purpose and identification: When asking patients for authorization, explain what they're consenting to.
- Description of PHI: Include the types of PHI you'll use.
- Voluntary participation and revocation of consent: Explain to patients in the authorization form that their consent is voluntary and can be revoked at any time.
- Opting out must be easy: One-click-opt-out is a best practice. Most email marketing platforms will automatically include the unsubscribe flow in marketing emails for CAN-SPAM compliance purposes. However, note that you'll need to manually unsubscribe anyone who asks, whether over the phone, in an email reply, or in person.
- Statement of HIPAA rights and nondiscrimination: Remind individuals of their rights under HIPAA, such as the Right to Access and Right to Amend their PHI. Also, include a statement assuring them that refusing or revoking consent will not impact their access to healthcare services.
- Signature and date: Get their name, signature, and date of signing, or use a legally binding digital signature.
- Recordkeeping: Briefly explain how you'll securely retain the authorization form as part of their records.
When does my HIPAA liability end when sending email?
Once an email has been delivered to the end recipient’s system using encryption, the covered entity or business associate has fulfilled their obligations to the HIPAA Privacy Rule.
Read more: How do I know when my HIPAA privacy obligation for email encryption ends?
Does a disclaimer make an email HIPAA compliant?
No. Emails must be sent securely to be HIPAA compliant. Adding a disclaimer does not meet HIPAA Security Rule requirements and doesn't make an email HIPAA compliant.
Is Gmail HIPAA compliant?
The free version of Gmail is not HIPAA compliant. Google will not sign a business associate agreement with free Gmail users.
For HIPAA compliance, upgrade to a paid Google Workspace account and sign a business associate agreement. Even then, Gmail isn't 100% HIPAA compliant when sending emails to recipients that don't support TLS encryption. For emails to be 100% HIPAA compliant and avoid HIPAA violations, use Paubox Email Suite with Google Workspace to encrypt all emails by default.
Is Microsoft 365 HIPAA compliant?
Mostly yes. According to Microsoft, their encrypted emails work with other Microsoft email clients, but "if the recipient is using another email client or email account, such as Gmail or Yahoo, they'll see a link that lets them either sign in to read the email message or request a one-time passcode to view the message in a web browser."
Portals severely disrupt patient communication because accessing an email or attachment requires up to 6 extra steps. Use Paubox Email Suite with your Microsoft 365 account to encrypt all emails by default without needing patients to log in to a portal.
What should you do if you violate HIPAA in an email?
First, determine if the violation resulted in unauthorized disclosure of protected health information. If it did, notify the affected client promptly and take steps to mitigate any potential harm. Reporting the violation to the U.S. Department of Health and Human Services is required only if the breach affects 500 or more individuals, but it's good practice to document all breaches, regardless of size.
Does the subject line of an email have to be encrypted?
If the subject line contains ePHI, yes it must be encrypted. It should be noted that it is not the responsibility of a healthcare provider to assure that incoming email is encrypted (although many organizations like having this feature).
Read more: Does an email subject line have to be HIPAA compliant?
Does the email message header have to be encrypted?
An email message header includes fields that provide information about the sender, recipient, and routing of the message.
Some common email header fields include:
- From: the email address of the sender
- To: the email address of the primary recipient
- Subject: the subject or topic of the message
- Date: the date and time the message was sent
- Cc: (carbon copy) list of recipients who are to receive a copy of the message
- Bcc: (blind carbon copy) list of recipients who receive a copy of the message without the other recipients being aware
- Reply-To: the email address that should be used when replying to the message
- Message-ID: a unique identifier for the message
- In-Reply-To: the Message-ID of the message that this message is a reply to
- References: a list of Message-IDs for messages that this message is related to
As you can see, there are myriad instances in which PHI can be inserted into a message header. You should therefore be encrypting email message headers as a best practice.
Do all email encryption methods encrypt a message header?
Email sent via Transport Layer Security (TLS) does encrypt the message header while it’s in transit across the internet.
Email sent using PGP and S/MIME however, do not encrypt the message header.
If we already know it’s likely message headers will invariably contain PHI, we can conclude PGP and S/MIME are not sufficient forms of encryption for HIPAA compliant email.
Why isn’t PGP more widely used to encrypt email?
PGP (Pretty Good Privacy) is a widely used standard for email encryption, but it is not as widely adopted. Here are several reasons why:
- Complexity. PGP requires users to generate and manage their own public and private keys, which can be a complex and time-consuming process for non-technical users.
- Lack of Integration. PGP requires additional software and plugins to be installed in order to work with most email clients, which can be a barrier to adoption for some users.
- Security concerns. PGP has been criticized for having numerous security vulnerabilities in the past, which has led to some organizations being hesitant to adopt it.
- Ease of use. PGP is not as user-friendly as some other encryption methods, which can make it less appealing.
Does PGP email still have security vulnerabilities?
PGP has had a number of notable security vulnerabilities identified over the years. They include:
- EFAIL. In May 2018, a group of researchers discovered a vulnerability in the way PGP and S/MIME handle email encryption, known as EFAIL. It allows attackers to read the plaintext of encrypted emails by intercepting, manipulating, and then re-encrypting the ciphertext. Ciphertext is the result of encryption performed on plaintext using an algorithm.
- Key-pair collision. PGP uses a hash function to generate a “fingerprint” of a public key, which is used to identify the key. In 2017, it was discovered that it’s possible to generate two distinct keys with the same fingerprint, which could be used to impersonate someone else’s key.
- Key-server vulnerability. PGP relies on key servers to distribute public keys. In 2011, a vulnerability was discovered that could allow an attacker to upload a malicious key to a key server, which could then be used to impersonate someone else.
- Malicious Key. PGP relies on users to verify the authenticity of public keys before using them to encrypt messages. In some cases, attackers have been able to trick users into using a malicious key, which could allow them to decrypt the messages.
It should be noted most of these vulnerabilities have since been addressed by the PGP community and vendors.
Read more: PGP and S/MIME aren’t as secure as you think
Are email attachments encrypted?
Yes. Email attachments encrypted by either TLS, PGP, or S/MIME will be encrypted in transit.
Read more: What types of encryption methods encrypt email attachments?
Am I responsible for incoming emails to be HIPAA compliant?
HIPAA does not require covered entities and business associates to encrypt their inbound email. To maintain HIPAA compliance, healthcare organizations need to implement technical safeguards for outbound email that contains PHI. The best technical safeguard is using encryption.
Read more: Do you need inbound email security to be HIPAA compliant?
If I password-protect an email attachment, does that make it HIPAA compliant?
The guidance from HHS is clear: forgoing encryption and only using password protection for a document (or an entire hard drive, for that matter) is not sufficient and has already led to publicized HIPAA fines.
Therefore, using only password protection for attaching a document via email is not a HIPAA compliant approach and should be avoided.
Read more: Is my password-protected PDF document HIPAA compliant?
Is it HIPAA or HIPPA?
People often confuse HIPAA email and HIPPA email. Therefore, it’s easy to Google HIPPA compliant email or HIPPA email. In short, Google is smart and knows the correct spelling while pointing you to the right pages by default. In a nutshell, “HIPPA compliant email” or “HIPPA email” are not correct. “HIPAA compliant email” or “HIPAA email” are the correct search terms.
What versions of Transport Layer Security encryption are considered secure?
In January 2021, the NSA issued the following guidance:
“The National Security Agency (NSA) emphatically recommends replacing obsolete protocol configurations with ones that utilize strong encryption and authentication to protect all sensitive information… Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries.”
Furthermore:
“NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 not be used.”
Following NSA guidance, here’s a list of security protocols supported by Paubox:
- SSL v2 (Not Supported)
- SSL v3 (Not Supported)
- TLS 1.0 (Not Supported)
- TLS 1.1 (Not Supported)
- TLS 1.2 (Supported)
- TLS 1.3 (Supported)
Read more: Paubox eliminates obsolete TLS protocols, follows NSA guidance
Do international companies need to abide by HIPAA?
If an international company handles or transmits PHI of U.S. citizens, it is subject to HIPAA regulations.
Read more: Do international companies have to abide by HIPAA?
Does email qualify under the HIPAA Conduit Exception rule?
The HIPAA Conduit Exception Rule was created by the HIPAA Privacy Rule in December 2000. In a nutshell, the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form). Since every email account has email stored in it, this would preclude it from being a transmission-only service.
In summary, email does not qualify under the HIPAA Conduit Exception rule.
Read more: HIPAA Conduit Exception Rule – what is it?
Can a covered entity or business associate use a consumer email service provider like Yahoo or Hotmail?
A business associate agreement is required for any vendor handling or processing PHI on behalf of a covered entity or business associate. We have not found a single consumer email service that provides a BAA. Therefore, using a provider like Yahoo or Hotmail is not HIPAA compliant and should be avoided.
Read more:
What is HITRUST?
HITRUST is a standards development organization that was founded in 2007. It develops and maintains a healthcare compliance framework called the HITRUST CSF. The HITRUST CSF is designed to unify security controls from federal law (HIPAA), state law, and non-governmental frameworks (PCI-DSS) into a single framework that’s tailored towards use in the healthcare industry.
Paubox solutions have been HITRUST CSF certified since 2019.
Read more: Paubox renews, expands HITRUST CSF certification through 2025
Does Paubox have patents for its work on encrypted email?
Yes, Paubox currently has four patents.
Read more: U.S. Patent Office approves our approach to email encryption
What is the HHS Notification of Enforcement Discretion and does it apply to email?
When the pandemic first hit in March 2020, the U.S. Department of Health and Human Services (HHS) quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available audio or video communication apps without the risk of incurring HIPAA fines.
This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”
Email is not in scope of the HHS Notification of Enforcement Discretion act. It applies only to non-public facing audio and video communication services.
See also: HIPAA privacy and security guidelines as they relate to telehealth
Is email marketing HIPAA compliant?
Yes, but very few email marketing platforms offer HIPAA compliant email marketing. For email marketing to be compliant, two requirements must be met.
First, you must get authorization from patients to send them marketing emails. Usually, this is added to your Notice of Privacy Practices or asked when someone first becomes a client. However, anything directly related to treatment or healthcare operations, like appointment reminders, is exempt from this requirement.
Second, the marketing emails must be encrypted. So, you'll need to use a HIPAA-compliant platform, like Paubox Marketing.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.