How to forward an email while being HIPAA compliant

Forwarding an email while being HIPAA compliant involves understanding and implementing several key safeguards to protect electronic protected health information (ePHI). By using secure email services, verifying recipient authorization, applying the minimum necessary rule, maintaining audit trails, securing patient consent, and conducting regular training, healthcare providers can ensure they are complying with HIPAA regulations.

Is forwarding an email a HIPAA violation?

After much research, Paubox found that forwarding an email “is not inherently a HIPAA violation;” however, the email must be “forwarded with the right safeguards and only to authorized individuals.”

Key considerations for HIPAA compliant email forwarding

Encryption

• Why it matters: Encryption transforms email content into unreadable code, accessible only to those possessing a decryption key. This ensures that ePHI is protected from unauthorized access during transmission.
• Implementation: Use email services that offer encryption, like Paubox. Ensure that both the sender's and the recipient’s email platforms support this feature.

Access control

• Why it matters: HIPAA mandates that only authorized individuals should have access to ePHI.
• Implementation: Verify the recipient’s identity and authorization to access the ePHI before forwarding the email. Implement role-based access controls (RBAC) to restrict access based on job roles.

Minimum Necessary Standard

• Why it matters: The HIPAA Privacy Rule requires that only the minimum necessary information be disclosed to accomplish the intended purpose.
• Implementation: Before forwarding, review the email content and remove any unnecessary ePHI. Ensure that only the essential information required for the recipient’s task is included.

Audit and tracking

• Why it matters: Keeping track of who accesses and forwards ePHI helps in identifying potential breaches and ensuring accountability.
• Implementation: Use email systems that offer logging and auditing features. Regularly review logs to monitor email forwarding activities.

Business associate agreements (BAAs)

• Why it matters: Third-party service providers that handle ePHI must comply with HIPAA regulations.
• Implementation: Ensure that your email service provider and any other third-party vendor have signed a BAA. This legally binds them to comply with HIPAA requirements.

Patient consent

• Why it matters: HIPAA requires obtaining patient consent for disclosures not related to treatment, payment, or healthcare operations.
• Implementation: Obtain explicit consent from the patient before forwarding their ePHI to individuals or entities outside the permitted scope.

Related: 

• How to obtain patient consent for email communication
• FAQs: All about HIPAA and patient consent
  
  

Security policies and training

• Why it matters: Consistent application of security policies and staff training reduces the risk of accidental breaches.
• Implementation: Develop comprehensive security policies regarding email use and forwarding. Conduct regular training sessions to ensure that staff understands and adheres to these policies.
  
  

Practical steps for HIPAA compliant email forwarding

• Use secure email services: Opt for email providers that offer HIPAA compliant features, such as encryption, secure email portals, and compliance certifications. Services like Microsoft 365, Google Workspace with enhanced security, and specialized providers like Paubox are good options.
• Implement strong access controls: Ensure that only authorized personnel can access and forward emails containing ePHI. Use multi-factor authentication (MFA) to add an extra layer of security.
• Encrypt emails: Enable encryption for all emails containing ePHI. Ensure that both the email body and attachments are encrypted. Use tools and plugins that integrate with your email service to provide encryption.
• Verify recipient authorization: Double-check the recipient’s email address before forwarding. Verify that the recipient is authorized to receive the ePHI and has a legitimate need for the information.
• Apply the Minimum Necessary Rule: Before forwarding, review the email content to ensure that only the necessary ePHI is included. Remove any extraneous information that is not required for the recipient’s task.
• Maintain audit trails: Use email systems that log forwarding activities. Regularly review these logs to monitor compliance and identify any unauthorized forwarding of emails.
• Secure patient consent: Obtain patient consent for email communications, especially when forwarding ePHI outside of treatment, payment, or healthcare operations. Document this consent and ensure it is up to date.
• Train staff regularly: Conduct regular training sessions on HIPAA compliance and email security. Ensure that staff understand the importance of protecting ePHI and the procedures for forwarding emails securely.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

How can I verify that the recipient is authorized to receive PHI?

Verify the recipient's email address and their role within the organization or their relationship to the patient. Ensure that the recipient has a legitimate need to access the PHI. Implementing role-based access controls can help restrict access to authorized individuals only.

How can I ensure my emails are encrypted?

Use email services that offer built-in encryption features. You can also use third-party encryption tools or plugins that integrate with your email service. Ensure that encryption is enabled for both the email body and any attachments.

Related: How to encrypt your email and why you should

Can I use personal email accounts to forward emails containing PHI?

No, personal email accounts typically do not offer the necessary security features and encryption required for HIPAA compliance. Always use your organization's approved email service that complies with HIPAA regulation

Learn more: How do I make my personal email HIPAA compliant?