HIPAA compliant email communication for health plans

Health plans must ensure email communication is encrypted for all protected health information (PHI), use secure access controls, and establish business associate agreements with email service providers to comply with HIPAA regulations. They should also limit PHI sharing, obtain patient consent, and follow strict email retention and disposal policies.

Understanding HIPAA’s email compliance requirements

HIPAA regulations apply to health plans and require PHI protections, including "all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral." Email communications containing PHI must adhere to the HIPAA Privacy and Security Rules to prevent unauthorized access and potential breaches.

HIPAA compliance requirements for email communication

According to the HHS, "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so." Other requirements include: 

• Encryption: HIPAA requires that emails with PHI be encrypted in transit and at rest. Even if the emails are intercepted, the information remains unreadable to unauthorized parties. Health plans should use HIPAA compliant email services with strong encryption protocols.
• Access controls: Secure access to email accounts by using strong, unique passwords and enabling two-factor authentication. Implement robust access controls such as password management policies and multifactor authentication (MFA) to protect email accounts from unauthorized access.
• Business associate agreements (BAAs): Health plans must have a BAA with third-party email service providers handling PHI. When selecting an email provider, ensure they offer a BAA. Review and sign the agreement to establish compliance expectations and responsibilities.
• Minimum necessary information: Evaluate the content of emails to ensure they contain only relevant information. Avoid sending detailed patient records or sensitive data unless necessary.
• Patient consent: Obtain explicit patient consent before sending PHI via email. Develop a HIPAA compliant consent form that patients sign before receiving PHI through email. Clearly explain the potential risks and secure their agreement.
• Email retention and disposal: Establish policies for retaining and securely disposing of emails with PHI. Implement email archiving solutions that comply with HIPAA retention requirements. Securely delete emails that are no longer needed, ensuring that PHI is irretrievably removed.
• Staff training: Train staff on HIPAA requirements and secure email practices to prevent accidental breaches. Provide resources and updates to keep staff informed about best practices.

In the news

On July 26, 2024, United of Omaha Life Insurance Company, part of Mutual of Omaha, reported a data breach affecting 107,894 individuals, exposing their PHI. The breach, traced to a phishing attack on an employee email account, was detected on April 23, 2024, after suspicious activity was noticed. Between April 21 and April 23, 2023, sensitive data such as names, Social Security numbers, addresses, birth dates, driver’s license numbers, employment details, and health information were compromised. In response, the company reset passwords, enlisted cybersecurity experts, reported the phishing domain, and re-trained employees on phishing awareness. Affected individuals were notified by mail on July 26. Phishing attacks take advantage of perceived trust, personal behaviors, and reliance on security tools, making it difficult to identify fraudulent emails. Health plans are particularly at risk due to the large amounts of PHI they handle and potential security fatigue among staff.

Related: Tips to spot phishing emails disguised as healthcare communication

FAQs

Can health plans use personal email accounts for work-related communication involving PHI?

No, personal email accounts should never be used for sending or receiving PHI, as they typically lack the encryption and security measures required by HIPAA.

Related: Why personal email accounts are not HIPAA compliant

What role does audit logging play in HIPAA compliant email communication?

Audit logs track access and changes to emails containing PHI, helping health plans detect unauthorized access, maintain compliance, and demonstrate accountability in the event of a breach.

Are there any special precautions health plans should take when employees work remotely?

When working remotely, employees must use secure, encrypted email platforms, connect through a virtual private network (VPN), and follow strict access control measures to protect PHI.