Preventing HIPAA breaches when emailing external providers

Many breaches can be prevented by using HIPAA compliant email services with encryption, signing business associate agreements (BAAs), and applying the minimum necessary rule to limit shared information. Other prevention methods include training staff on secure email practices and implementing safeguards like two-factor authentication (2FA), email audit trails, and avoiding sensitive attachments. 

HIPAA’s email regulations

The HIPAA Privacy and Security Rules govern the use and protection of Protected Health Information (PHI) in electronic communications, including email. While HIPAA allows using email for PHI, it requires certain safeguards to ensure unauthorized individuals do not access the information. According to the HHS, "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so." External healthcare providers, who are not part of your organization but are involved in patient care, must also follow these guidelines to ensure HIPAA compliant email communication. 

The risks of emailing PHI externally

1. Unencrypted transmissions: Sending unencrypted emails can result in unauthorized interception of sensitive information.
2. Unauthorized access: Without adequate security measures, email accounts can be compromised, allowing PHI to fall into the wrong hands.
3. Misaddressed emails: Sending emails to the wrong recipient is a common human error that can lead to breaches.
4. No business associate agreement (BAA): If a provider handles PHI without a BAA, your organization may be liable for non-compliance.
5. Insider threats: Employees may intentionally or unintentionally access or disclose PHI improperly.

Related: Are emails a risk for breaches?

Recommended practices for preventing HIPAA breaches in email communication

Use HIPAA compliant email services

Use an email service provider that offers HIPAA compliant features, such as encryption, access controls, and audit trails. The provider must also sign a BAA, which confirms they adhere to HIPAA regulations. Choosing a secure provider ensures that your email communication is appropriately protected.

Read more: Features to look for in a HIPAA compliant email service provider

Encrypt emails containing PHI

Any email containing PHI sent externally must be encrypted to prevent unauthorized access. Encryption ensures that even if an email is intercepted, its contents cannot be read by anyone without proper decryption keys.

Implement the minimum necessary rule

HIPAA requires that healthcare providers disclose only the minimum necessary information to accomplish the intended purpose. When emailing external providers, avoid sharing more PHI than is needed. For instance, if discussing a treatment plan, include only relevant information, not the patient’s medical history.

Obtain and review BAAs

When sharing PHI with external providers, ensure you have a signed BAA in place if they handle PHI on your behalf. A BAA confirms that the external provider must protect PHI in compliance with HIPAA. Regularly review BAAs to ensure they remain up-to-date with regulatory changes.

Educate and train staff

Staff should be trained on HIPAA compliant email practices, including how to verify recipient addresses, limit PHI disclosure, and avoid common email errors. Regular training ensures that staff understand the risks associated with emailing PHI and the steps they can take to prevent breaches.

Additional safeguards for secure email communication

1. Enable two-factor authentication (2FA): Two-factor authentication (2FA) adds an extra layer of security by requiring users to provide a second form of verification, such as a code sent to their mobile device.
2. Use email audit trails and monitoring: HIPAA requires that email systems track and log user activity. Audit trails help you monitor who accessed emails containing PHI, allowing IT teams to identify and respond to breaches.
3. Avoid sending attachments when possible: Attachments pose additional risks, especially if they contain sensitive information. Instead of emailing attachments, use secure file-sharing platforms to exchange large or sensitive files with external providers.
4. Ensure secure data disposal practices: PHI in emails should be securely deleted or de-identified when it’s no longer needed. Establish clear policies for regularly reviewing and securely disposing of old emails and attachments that contain PHI.

Responding to potential email breaches

If an email breach occurs, act swiftly by notifying the affected patients and external providers, conducting a risk assessment, and determining whether the breach must be reported under the HIPAA Breach Notification Rule. 

FAQs

What should I do if an email is sent to the wrong external provider?

If an email containing PHI is sent to the wrong provider, you should immediately contact the recipient, request deletion, and follow HIPAA breach notification procedures, including conducting a risk assessment.

Is it safer to use patient initials instead of full names when emailing external providers?

Yes, using patient initials or de-identified information reduces the risk of exposing full patient identities if an email breach occurs, adding an extra layer of protection.

Should I document patient consent for communicating via email with external providers?

Yes, it’s good practice to document patient consent, especially when discussing email communication involving PHI, to ensure patients are informed about the risks and agree to the mode of communication.