Paubox blog: HIPAA compliant email made easy

Sending HIPAA compliant emails 101

Written by Farah Amod | March 28, 2024

Email is a central means of communication, but for healthcare providers, ensuring the security and privacy of patient information when sending emails can be a daunting task. 

 

The risks of insecure email transmission

Email transmission poses risks to the security and privacy of PHI. When an email is sent, it follows a complex path, passing through multiple machines and potentially traversing the internet where attackers may be lurking. Each machine along the path stores a copy of the email, including the sender's workstation, the sender's email server, the recipient's email server, and the recipient's workstation. This inherent vulnerability makes email an insecure method of transmitting sensitive data.

Inadequate email encryption is a common cause of healthcare breaches. According to the Department of Health and Human Services' Breach Portal, approximately 15% of reported healthcare breaches can be attributed to inadequate email encryption. Implementing secure email practices is a requirement to ensure the protection of PHI.

Related: Why HIPAA breaches related to email are so common

 

Encryption: The key to secure email transmission

Encryption is the cornerstone of secure email transmission. It involves encoding data in a way that makes it unreadable to unauthorized individuals. When it comes to sending HIPAA compliant emails, encryption is a must. Any email containing PHI cannot be transmitted unless it is encrypted using a third-party program or encryption with advanced encryption standard (AES) or similar algorithms.

It is important to note that encryption requirements apply not only to the body text of the email but also to any attachments that may contain PHI. Whether the PHI is in the body text or an attachment, encryption must be applied to ensure the security of the transmitted information.

Read more: What is encryption? 

 

Alternatives to traditional email

While email can be used to transmit PHI securely, there are alternative methods that offer enhanced security and reduce the risks associated with traditional email transmission.

 

Patient portals

Patient portals provide a secure platform for healthcare professionals to communicate with patients and securely transmit PHI. These portals allow patients to access their health information, schedule appointments, and even request prescription refills. However, patient portals require logins and passwords from patients, which added steps are not the most user friendly, especially for older patients who may not be comfortable with technology. 

 

Cloud-based email servers

Another option for secure email transmission is the use of cloud-based email servers, such as Office365. These servers host HIPAA compliant infrastructure and provide secure connections via HTTPS. However, it is important to note that cloud-based email servers only control the security of the email transmission up to the recipient's server or workstation. If the recipient's email infrastructure is not secure, the overall security of the transmission may be compromised.

 

Encrypted email services

Encrypted email services offer ensure the security of the email transmission from the sender's workstation to the recipient's workstation. These services encrypt the message and notify the recipient, who can then securely retrieve the message from the server. By using such services, like Paubox, healthcare providers can ensure HIPAA compliant email transmission.

Read also: 

 

Best practices for HIPAA compliant email communication

In addition to using secure email transmission methods, there are several best practices that healthcare providers should follow to ensure HIPAA compliance when communicating via email.

 

Secure email platforms

Choose email platforms that are HIPAA capable and compliant. While many email platforms are capable of transmitting PHI, they may not have the necessary security measures in place to ensure compliance. Select an email platform that meets HIPAA requirements and provides the required security controls.

 

Strong passwords

Protect access to your email account by using strong passwords. Avoid using dictionary words or easily guessable combinations. A strong password should include a mix of upper and lower-case letters, numbers, and special characters. 

 

Email disclaimers

Include a disclaimer in your emails to inform recipients that the information contained in the email is PHI and should be treated as such. While disclaimers do not absolve healthcare providers of their responsibility to send emails securely, they remind recipients to handle the information appropriately.

 

Patient education

Educate patients about the risks associated with unencrypted email communication and provide them with alternate secure methods of communication. Ensure that patients know the potential privacy and security implications of using unencrypted email and obtain their explicit consent for email communication.

 

Document conversations

Keep a record of any conversations with patients regarding using unencrypted email. If a patient insists on using email despite the risks, document their consent and provide them with information about secure methods of communication. This documentation can indicate the steps taken to inform and educate patients about the risks involved.

 

Steps to send HIPAA compliant emails

Secure patient information in transit and at rest

Use secure email solutions like Paubox that encrypt messages and attachments in transit and at rest to ensure HIPAA compliance when sending emails.

IT professionals at larger healthcare organizations may have the resources to manage their own email servers, but the quickest way to ensure you're sending HIPAA compliant emails is to use a HIPAA compliant email solution

 

Enter into a business associate agreement

A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. 

 

Set up policies and procedures 

Policies related to PHI access, storage, and disclosure should be in place to limit access to authorized individuals only. This includes specific guidelines for using email to transmit PHI, including requirements around encryption, access controls, and secure transmission. 

 

Train your staff on secure email best practices

In addition to having policies around HIPAA compliant email, healthcare organizations should train employees on these policies and procedures. 

Read also

FAQs

Can I send unencrypted emails containing PHI?

While the HIPAA Security Rule does not expressly prohibit the use of email for sending ePHI, covered entities must implement policies and procedures to protect the security and privacy of ePHI. Secure email methods, such as encryption or secure patient portals, ensure HIPAA compliance.

 

Are free Internet-based email services secure for sending PHI?

Free Internet-based email services, such as Gmail, Hotmail, and AOL, are generally not secure for transmitting PHI. It is advisable to use secure email platforms that are HIPAA compliant or use encrypted email services for transmitting sensitive patient information.

Read also