The difference between secure and HIPAA compliant email

Secure email uses encryption to protect data, while HIPAA compliant email goes further by incorporating strict regulations to safeguard protected health information (PHI).

What is secure email?

Secure email is any email system that incorporates security measures, primarily encryption, to protect messages from unauthorized access. Many secure email services use transport layer security (TLS) to encrypt emails in transit, preventing interception by malicious actors.

Additional security features in a secure email system may include:

• Seamless encryption to protect messages at all stages.
• Multi-factor authentication (MFA) for added login security.
• Password-protected email attachments to restrict access.
• Spam and phishing filters to prevent malicious attacks.

While these features make email more secure, they do not necessarily fulfill the strict requirements set by HIPAA.

What is HIPAA compliant email?

The Health Insurance Portability and Accountability Act (HIPAA) sets specific standards for handling PHI to ensure privacy and security. HIPAA compliant email must meet all security and administrative requirements outlined in the HIPAA Security Rule, which includes:

• Encryption: Unlike standard TLS encryption, HIPAA requires that PHI be encrypted at rest and in transit to prevent unauthorized access.
• Access controls: Only authorized users should have access to emails containing PHI. This includes password protection, role-based access, and secure login measures.
• Audit logs: HIPAA mandates that all email communications involving PHI be monitored and logged to track access and potential security incidents.
• Business associate agreement (BAA): If a third-party email provider processes or stores PHI, they must sign a BAA, ensuring they comply with HIPAA regulations.
• Administrative safeguards: Healthcare providers and their business associates must implement policies for email security, risk assessments, and breach response procedures.

The difference

According to Peter F. Edemekong, et al. in a study published by the National Library of Medicine, the “rise in ePHI exchange has necessitated robust security standards to safeguard sensitive health information while ensuring proper access for  healthcare-related entities.” While all HIPAA compliant emails are secure, not all secure emails are HIPAA compliant. Therefore, healthcare organizations must diligently assess their email platforms to ensure they are both secure and fully HIPAA compliant, minimizing the risk of non-compliance and data breaches.

FAQS

What happens if my email provider doesn’t sign a BAA?

Without a signed BAA, your email provider is not legally responsible for protecting PHI under HIPAA regulations. This could lead to non-compliance penalties and potential data breaches.

What are the penalties for using non-compliant email for PHI?

HIPAA violations can result in fines ranging from $141 to $71,162 per violation, with an annual maximum of $2,067,813, depending on the severity and negligence of the breach.