The what, why, and how of sending HIPAA compliant emails

Email has become an indispensable tool for healthcare providers to communicate with patients, share sensitive information, and coordinate care. However, the transmission of protected health information (PHI) via email must adhere to strict HIPAA regulations to safeguard patient privacy and prevent costly data breaches. 

Understanding HIPAA compliant email

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with the primary goal of protecting the privacy and security of individuals' protected health information (PHI). This includes any information related to an individual's past, present, or future physical or mental health condition, as well as the provision and payment of healthcare services.

The HIPAA privacy rule, adopted in 2000, and the HIPAA security rule, enacted in 2003, establish national standards for safeguarding PHI, regardless of whether it is transmitted electronically, on paper, or orally. When it comes to email communication, HIPAA compliant email refers to the practice of sending and receiving messages that contain PHI while adhering to the specific security measures and protocols outlined in the HIPAA regulations.

HIPAA compliance and email

HIPAA's email-related requirements apply to a wide range of healthcare entities, including:

• Health plans, such as insurance companies, HMOs, and government healthcare programs
• Healthcare providers, including doctors, clinics, hospitals, and pharmacies
• Healthcare clearinghouses that process non-standard health information
• Business associates, such as IT service providers, legal counsel, and accounting firms, that handle PHI on behalf of covered entities

HIPAA rules cover not only outbound email communication from these entities but also any incoming messages that may contain PHI. This means that healthcare organizations must ensure the security of both their outgoing and incoming email traffic.

The risks of HIPAA violations in email communication

The consequences of HIPAA violations related to email can be severe, both financially and reputationally. According to IBM's Cost of a Data Breach Report, business email compromises rank among the four costliest incident types, with an average cost of $4.67 million. For HIPAA-covered entities, the potential fines can be even more staggering, ranging from $100 to $50,000 per violation, depending on the nature and severity of the infraction.

The examples of HIPAA violations through email and social media illustrate the diverse ways in which healthcare providers can inadvertently expose sensitive patient information:

• The eager Yelp responder: A Texas-based dental practice, Elite Dental Associates, was fined $10,000 by the Office for Civil Rights (OCR) for disclosing a patient's name, health condition, treatment plan, insurance, and cost information in a Yelp review response.
• The rushed YouTube comment: A New York City emergency room nurse faced potential discipline and suspension for naming a deceased co-worker in a video discussing the hardships faced by frontline healthcare workers during the COVID-19 pandemic.
• The ill-considered mass email campaign: A health center in Pennsylvania sent an email to approximately 900 bariatric surgery patients, with all recipients' email addresses visible in the "CC" field, potentially revealing their association with the center's bariatric program.

These cautionary tales reiterate the need to implement HIPAA compliant email practices to protect patient privacy and avoid costly penalties.

Read more: Understanding HIPAA violations and breaches 

Ensuring HIPAA compliance for email communication

To maintain HIPAA compliance in email communication, healthcare organizations must adhere to a set of specific requirements and best practices:

Scope of HIPAA-covered emails

The HIPAA rules and requirements apply to a wide range of email communications, including:

• Emails to patients about their condition and treatment: Healthcare providers must use reasonable safeguards, such as verifying email addresses and limiting the amount of PHI shared, when emailing patients about their health status and care.
• Bulk emails to past, present, or potential patients: Sending mass emails without blind copying (BCC) recipients can constitute an impermissible disclosure of PHI, as the addressees may be able to infer the nature of their relationship with the healthcare provider.
• Email replies from covered and non-covered entities: While HIPAA-covered entities and their business associates must apply reasonable safeguards when emailing PHI, the responsibility for protecting sensitive information in inbound email traffic lies with the sending party.
  
  

HIPAA email encryption requirements

According to the study titled Email security in clinical practice: ensuring patient confidentiality, “e-mailing or faxing unencrypted patient health information is really no more secure than sending that information on a postcard,” and “those physicians who wish to send personal health information by email should use an encrypted or otherwise secure system.”

The HIPAA security rule categorizes encryption as an "addressable" implementation specification, meaning that covered entities and business associates must assess the need for encryption based on their specific risk analysis and adopt appropriate encryption methods to protect the transmission of electronic protected health information (ePHI).

The only instance where unencrypted PHI transfer may be acceptable is when it occurs between colleagues within the organization's secure network, provided that proper server security tools and protocols are in place, and access is limited to those with a legitimate need to know the information.

Strategies for achieving HIPAA compliant email practices

To ensure your organization's email communication adheres to HIPAA regulations, consider the following strategies:

Sign a business associate agreement (BAA) 

The BAA is a contractual agreement that defines the permissible uses and disclosures of PHI by the business associate (your email service provider) and outlines the administrative, physical, and technical safeguards that must be in place to protect it. If your email provider is unwilling to sign a BAA, you should consider alternative HIPAA compliant options.

Implement encryption

Encryption is a powerful tool for securing email communication containing PHI. This technology encodes messages before they are sent and decodes them only after they reach the intended recipient's device, ensuring that no one in the middle can read or modify the content.

Enhance PHI security protocols

Develop and regularly review organizational policies related to PHI access, management, and transmission. Implement role-based permissions and granular controls to limit access to sensitive information, maintain access logs, and conduct periodic audits to ensure compliance.

Leverage HIPAA compliant email solutions

Consider integrating your email platform with a HIPAA compliant solution which offer encrypted storage, secure file sharing, and other features to strengthen your compliance efforts. These specialized tools can help you streamline your HIPAA compliant email practices and simplify your overall compliance with regulations like GDPR, CCPA, and FINRA.

Related: Rules for HIPAA compliant email communications 

How Paubox can help make email HIPAA compliant

Paubox’s HIPAA compliant email service delivers encryption on 100% of emails that go out—even if the recipient’s provider doesn’t support encryption. 

Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to decide which emails to encrypt, and your patients can conveniently receive your messages right in their inbox—no additional passwords or portals are necessary. 

It's a simple and stress-free experience. Unlike other providers, Paubox makes HIPAA compliant email behave like regular email for both senders and recipients. Paubox’s Encrypted Email allows users to write and send emails as normal from a laptop, desktop and mobile devices. Your recipients will be able to view messages and attachments without needing to enter extra passwords, download an app, or login to a portal. 

This greatly reduces the risk of accidentally sending PHI over email. Having staff decide whether to encrypt an email is a giant burden. It can be easy to forget to press an encrypt button or type a keyword before sending an email. Sometimes, a user may not realize that certain information is also PHI.

Learn more: HIPAA Compliant Email: The Definitive Guide 

FAQs

Does HIPAA apply to email?

Yes, HIPAA regulations require covered entities to protect electronic PHI in transit, at rest, and in storage. Implementing email encryption is a necessary step in achieving HIPAA compliance.

Do I need consent to send encrypted emails containing PHI?

Yes, written consent from patients is needed before sending any PHI via email, even if using a HIPAA compliant email provider. Patients need to be informed about the associated risks and explicitly agree to accept those risks.

What can I use to encrypt emails and ensure HIPAA compliance?

You can use Paubox to ensure HIPAA compliance when encrypting emails. Paubox offers a HIPAA compliant email encryption solution that secures the transmission of sensitive information in emails, ensuring they meet HIPAA regulations. It provides seamless encryption without requiring recipients to use special portals or passwords, making it convenient for both senders and recipients.

What are the encryption requirements for HIPAA compliant email communication?

Healthcare organizations should implement encryption protocols such as Transport Layer Security (TLS) or Secure/Multipurpose Internet Mail Extensions (S/MIME) to protect PHI during transmission. 

Can I use my personal email account to communicate with patients or colleagues in a healthcare setting?

Using personal email accounts for healthcare communication is discouraged due to security and compliance concerns. Personal email accounts may not provide the necessary encryption and security features required to protect patient information under HIPAA. 

What is the difference between encrypted and secure email?

An encrypted email ensures that its contents are encoded and can only be deciphered by the intended recipient. Secure email on the other hand encompasses a broader range of security measures beyond encryption and includes additional features, and protective measures to safeguard against various email-based threats.