How to mitigate the risk of shared email inboxes

Shared email inboxes lack individualized access controls. With multiple staff members sharing a single account, it can be nearly impossible to determine who sent or received specific communications, but organizations can still mitigate risks. A Perspectives in Health Information Management study published in 2022 notes, “The mean number of records affected by a breach due to unintentional insider threats is more than twice that of breaches caused by malicious intent such as external cyberattacks and theft.” 

The anonymity increases the chance of this threat as staff can access data and transmit information without stringent access logs. Inadequate security also exposes the organization to accidentally sending PHI to the wrong recipient. These risks are avoidable through the division and efficient management of email accounts.

How do shared email accounts violate HIPAA?

HIPAA Security Rule Section 164.312 (a)(2)(i) addresses Unique User identification, a rule requiring that covered entities, “assign a unique name and/or number for identifying and tracking user identity.” Each user with access to electronic PHI (ePHI) must have a unique identifier to track and monitor their actions within certain systems. Shared email accounts do not provide this level of individual accountability. 

With staff members accessing the data in shared accounts and sharing passwords, PHI can easily be accessed by former employees long after their departure. This risk is one of many that lead to a potential data breach, the consequences of which result in a series of breach notification protocols that sap the healthcare sector's limited resources.  

Best practices to effectively manage shared inboxes efficiently

1. Individual accounts for each user: Ensure every employee has a unique email account. This practice promotes accountability and traceability. 
2. Role-based access control: RBAC restricts access to PHI based on job responsibilities which ensures personnel can view or handle certain emails.
3. Email organization techniques: Encourage staff to utilize folders, tags, and filters to organize their inboxes effectively. It helps prioritize important communications so that there is a reduced likelihood of missed messages. 
4. Schedule email management time: Create a system where staff dedicates specific time blocks during the day solely for managing emails. 
5. Automated response: Use automated responses for common incoming inquiries and create templates for frequently sent messages. 
6. Regular audits of email practices: Conduct periodic audits of email practices to identify areas for improvement. The audit aligns with the requirements set by HIPAA while allowing for the consistent monitoring of all organizational systems.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

Is Outlook’s Shared Mailbox option HIPAA compliant? 

The option is not inherently compliant. For Outlook to be HIPAA compliant, organizations must have a subscription to the appropriate Microsoft 365 or Office 365 plan, which grants access to a business associate agreement.

What is the function of technical safeguards like the unique identifier implementation? 

They protect ePHI and control access to it through the implementation of appropriate technology and policies.   

Can staff members bear individual liability for data breaches?

Yes, staff members can bear individual liability for data breaches if their actions contribute to unauthorized access or disclosure.