HIPAA compliant email requirements for subcontractors

HIPAA email requirements for subcontractors include signing a business associate agreement (BAA), encrypting emails with PHI, implementing access controls like strong passwords and two-factor authentication, using secure transmission methods, and maintaining audit trails to monitor email activity. Subcontractors must also adhere to the minimum necessary rule, limiting the amount of PHI shared via email.

What are subcontractors under HIPAA?

A subcontractor, according to 45 CFR 160, is a person or entity to whom a business associate delegates a specific function, activity, or service. This delegation occurs outside the context of being a part of the business associate's workforce. When handling PHI, subcontractors must adhere to the HIPAA Privacy and Security Rules to ensure HIPAA compliant email communication. 

Read more: How HIPAA defines subcontractors

Why HIPAA applies to subcontractors' email practices

According to the HHS, "The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.". Emailing PHI without proper protections exposes sensitive patient data to unauthorized access, making subcontractors accountable for ensuring email security. Noncompliance can result in data breaches and significant financial penalties. 

The main HIPAA email requirements for subcontractors

Business associate agreement (BAA)

Subcontractors must sign a BAA with the business associate they work for before handling any PHI. This legal document outlines the subcontractor's responsibilities, including safeguarding PHI and following HIPAA standards. Without a BAA, subcontractors cannot legally handle PHI, including emails that contain sensitive patient information.

Read more: What is the purpose of a business associate agreement?

Encryption of emails containing PHI

HIPAA requires subcontractors to protect PHI sent via email, and encryption ensures that. Encryption is an "addressable" safeguard under HIPAA. The HHS clarifies that "An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so.". Subcontractors must encrypt emails in transit (when they’re being sent) and at rest (when stored). If encryption is not used, subcontractors must document why and implement alternative security measures. 

Access controls for email accounts

Subcontractors must implement access controls to prevent unauthorized access to email accounts containing PHI. These include strong password policies, two-factor authentication, and role-based access to limit email system access to authorized personnel only. 

Secure transmission methods

Subcontractors must use secure transmission methods for emailing PHI. That includes using transport layer security (TLS) to protect the connection between email servers, ensuring that PHI is transmitted securely. Additionally, subcontractors should use encryption to protect the data throughout the transmission process, reducing the risk of unauthorized access.

Audit controls and monitoring

HIPAA requires subcontractors to have audit controls in place, meaning they must track and log email activity involving PHI. That ensures that any access, use, or transmission of PHI via email can be monitored, and unauthorized activity can be detected quickly. Audit controls provide accountability and help confirm compliance during audits or investigations.

The minimum necessary rule for email communication 

"The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.". Subcontractors should limit the PHI shared via email to only what is essential for the task. For example, if only a patient’s name is required, avoid including other personal or medical information in the email.

Selecting a HIPAA compliant email service

Subcontractors must use a HIPAA compliant email service to handle PHI. These services offer features like encryption, access controls, and audit trails, ensuring email communication meets HIPAA standards. Moreover, they should provide a BAA to the subcontractor. 

Read more: Features to look for in a HIPAA compliant email service provider

FAQs

Can subcontractors use free email services for sending PHI?

No, free email services are not typically HIPAA compliant as they lack encryption and the ability to sign a BAA, both of which are required to protect PHI.

Related: How can I send free HIPAA compliant emails?

What should subcontractors do if an email containing PHI is sent to the wrong recipient?

Subcontractors must immediately report the incident to the business associate, assess whether the breach compromises PHI, and take steps to mitigate potential harm.

Can subcontractors use cloud-based email storage for PHI?

Yes, as long as the cloud service provider is HIPAA compliant, uses encryption, and signs a BAA with the subcontractor, cloud-based email storage can be used for PHI.