The rules for HIPAA compliant emails between providers

HIPAA allows provider-to-provider email communication for treatment, payment, and healthcare operations without patient authorization. However, providers must follow strict security measures. Emails containing PHI must be encrypted, and only the minimum necessary information should be shared. If a third-party email service is used, a business associate agreement (BAA) is required.

Permitted uses of email under HIPAA

Under HIPAA, email communication between healthcare providers is allowed for certain purposes without patient authorization. According to the HHS, "A covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations." These purposes include:

1. Treatment: Emails about patient treatment plans, referrals, consultations, or ongoing care between providers are permitted.
2. Payment: Emailing billing information, insurance claims, or reimbursement details between providers or administrative staff complies with HIPAA.
3. Healthcare operations: Communications related to operational tasks like audits, quality assessments, training, or credentialing are covered.

Even in these situations, providers must take additional steps to ensure patient information remains protected and shared securely, using only the necessary details and HIPAA compliant email services.

The minimum necessary rule

The HIPAA minimum necessary rule requires that providers disclose the least amount of PHI needed to achieve the intended purpose. That helps minimize the potential exposure of sensitive information. For example, when consulting on a patient's condition with another provider, include only the relevant medical data necessary for the consultation. Including extraneous details, like full medical records or unrelated diagnoses, could violate HIPAA standards. Providers should review email content before sending it to ensure compliance with this rule and to reduce risk.

Required security measures for email communication

The HHS states that "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.".

1. Encryption: Email encryption helps secure PHI. Without encryption, sensitive information could be exposed if the email is intercepted during transmission. Providers should use encryption software that converts the data into a secure format, readable only by the intended recipient.
2. Access controls: Email accounts should be secured with strong passwords and accessible only by authorized personnel. Password policies should ensure employees avoid easily guessed combinations.
3. Audit trails: Providers must monitor their email systems to track who is sending and receiving emails that contain PHI. This helps maintain accountability and identify any unauthorized access to patient data.
   
   

The role of business associate agreements (BAAs)

Healthcare providers using third-party email services must have a business associate agreement (BAA) with the email provider. Under HIPAA, any third party handling PHI must follow the same security and privacy standards as the healthcare provider. A BAA is required if the email service provider has access to PHI, and it should clearly outline the third party’s responsibility for safeguarding the data, including steps for preventing unauthorized access and breaches. The agreement must also specify how the third party will respond to potential security incidents and ensure ongoing HIPAA compliance. Without a BAA, healthcare providers risk violating HIPAA, which can result in fines and reputational damage.

Related: The consequences of not having a BAA with an email service provider

Additional safeguards for email communication

1. Device security: Emails with PHI are often accessed through various devices, including smartphones and laptops. Providers should implement security measures like password protection and remote wiping capabilities, allowing them to erase data from a device if it’s lost or stolen.
2. Two-factor authentication (2FA): Adding 2FA enhances security by requiring users to verify their identity through an additional step, such as a code sent to their phone. That helps protect email accounts even if a password is compromised.
3. Staff training: Regular staff training on email security and HIPAA compliance ensures that all employees understand the importance of safeguarding PHI and are familiar with the procedures for handling sensitive information.
   
   

FAQs

Can providers email PHI to each other without encryption if the network is secure?

No, even on a secure network, encryption is required for transmitting PHI to ensure it remains protected in case of interception during transit.

Are internal emails within a healthcare organization subject to HIPAA rules?

Internal emails that involve PHI are subject to HIPAA rules, and safeguards like encryption and access controls should still be in place to protect patient information.

Can healthcare providers email PHI to patients?

Providers can email PHI to patients if the patient provides consent and it is done through HIPAA compliant email.