4 min read
Which federal agencies must use HIPAA compliant email?
Caitlin Anthoney September 17, 2024
Any agency that handles protected health information (PHI) must use HIPAA compliant emails to adhere to federal regulations and avoid costly fines.
HIPAA compliance and federal agencies
As with covered entities, HIPAA mandates federal agencies that handle PHI must implement HIPAA’s Privacy and Security Rules to protect individuals' health information.
Federal agencies must use a HIPAA compliant platform, like Paubox, which offers encryption, access controls, and two-factor authentication. These platforms help agencies avoid costly fines, penalties, and reputational damage.
Read also: HIPAA and the Federal Civil Penalties Adjustment Act Improvements Act
Federal agencies subject to HIPAA
Centers for Medicare & Medicaid Services (CMS)
The CMS administers Medicare and Medicaid programs, where they often handle health information. Therefore, CMS employees must use HIPAA compliant emails when asking a healthcare provider about a patient’s Medicare eligibility.
Department of Veterans Affairs (VA)
The Department of Veterans Affairs (VA) manages many hospitals and healthcare facilities that support veterans and their dependents. If a veteran has a medical condition treated through the VA, their medical records and treatment plans also fall under HIPAA’s protections.
The VA must use HIPAA compliant email solutions, like Paubox, to enhance patient care, and improve patient and provider satisfaction while optimizing overall healthcare costs.
Department of Defense (DoD)
The DoD provides healthcare to members and their families through its TRICARE program. It is obliged to handle the program according to HIPAA guidelines. HIPAA compliant emails allow the DoD to support veterans.
More specifically, HIPAA compliant emails can help veterans with PTSD access personalized interventions with psychotherapeutic techniques and treatment plans.
Indian Health Service (HIS)
HIPAA compliant emails allow the IHS to create inclusive marketing campaigns for the Navigator program, promoting healthcare access to underserved American Indian and Alaska Native populations.
Social Security Administration (SSA)
The SSA processes disability claims, first reviewing medical records before deciding on an applicant's eligibility. Therefore, the SSA must protect the applicants' PHI when processing the claim.
HIPAA compliant emails allow the SSA to request medical records from an applicant's healthcare provider while preventing unauthorized access.
Centers for Disease Control and Prevention (CDC)
During an infectious disease outbreak, the CDC can use HIPAA compliant email to notify hospitals about new reporting requirements, patient tracking procedures, and containment measures. These emails allow the CDC to communicate sensitive health data, like case numbers or patient information, while limiting access to authorized staff only.
Furthermore, HIPAA compliant emails allow the CDC to “[apply] disease prevention and control, environmental health, and health promotion and education activities,” improving health for all.
National Institutes of Health (NIH)
Since the NIH conducts medical and behavioral research, their Policy for Data Management and Sharing (DMS Policy), “requires NIH-funded researchers to submit a plan outlining how scientific data from their research will be managed and shared within their funding application.”
Moreover, researchers must use HIPAA compliant emails in clinical trials to maintain compliance and research integrity, especially when the PHI is not de-identified.
Other NIH-affiliated institutes that must use HIPAA compliant email include:
- National Library of Medicine (NLM)
- National Cancer Institute (NCI)
- National Heart, Lung, and Blood Institute (NHLBI)
- National Institute on Aging (NIA)
- National Institute of Allergy and Infectious Diseases (NIAID)
- National Institute of Mental Health (NIMH)
- National Institute on Drug Abuse (NIDA)
- National Institute of Dental and Craniofacial Research (NIDCR)
- National Institute of Neurological Disorders and Stroke (NINDS)
- National Institute of Child Health and Human Development (NICHD)
- National Institute of Environmental Health Sciences (NIEHS)
Office of Personnel Management (OPM)
The OPM manages the Federal Employees Health Benefits Program (FEHBP). When OPM processes federal employees' health insurance claims, it must securely send claim details and medical records between healthcare providers and insurance administrators.
HIPAA compliant emailing platforms, like Paubox, automatically encrypt emails and their attachments, allowing the OPM to forward claim information and related medical documentation to the claims processor. It safeguards PHI from unauthorized access during transit and rest, throughout the processing stage.
Food and Drug Administration (FDA)
The FDA must use HIPAA compliant emails to protect health data from clinical trial participants. These emails also allow the FDA to securely email stakeholders in real-time, “promoting and protecting public health by helping safe and effective products reach the market in a timely way, and monitoring products for continued safety after they are in use.”
Health Resources and Services Administration (HRSA)
The Health Resources and Services Administration (HRSA) “provides equitable health care to the nation’s highest-need communities. [Their] programs support people with low incomes, people with HIV, pregnant people, children, parents, rural communities, transplant patients, and the health workforce.”
Privacy breaches in these vulnerable communities are disproportionate, access to secure technology is limited, and financial issues are a barrier to cybersecurity.
HIPAA compliant emails are an affordable solution that allows the HRSA to communicate directly with underserved populations, giving them access to much-needed healthcare services.
Substance Abuse and Mental Health Services Administration (SAMHSA)
SAMHSA's mandate regarding substance abuse and mental health services is to "improve the quality and availability of prevention, treatment, and rehabilitative services [to] reduce illness, death, disability, and cost to society."
SAMHSA also distributes grants to substance abuse treatment programs. Due to this, they will frequently be required to share PHI with grantees. HIPAA compliant emails encrypt this PHI, keeping the patient data safe while advancing treatment services.
Agency for Healthcare Research and Quality (AHRQ)
The AHRQ “sponsors and conducts research that provides evidence-based information on health care outcomes; quality; and cost, use, and access.”
HIPAA compliant emails allow the AHRQ to share PHI with clinicians and administrators while maintaining federal regulations. They can share data securely and work towards better patient care while reducing healthcare costs.
Office of the Assistant Secretary for Planning and Evaluation (ASPE)
The Office of the Assistant Secretary for Planning and Evaluation (ASPE) advises the Secretary of Health and Human Services on economic policy, health, disability, and human services.
When ASPE takes the lead in an interdepartmental research study, they must use HIPAA compliant emails to exchange health data across federal departments. HIPAA compliant emails allow them to securely share PHI with collaborators involved in carrying out analyses for healthcare cost-benefit and their policy alternatives.
Office of Human Research Protections (OHRP)
The U.S. Department of Health and Human Services’ OHRP protects human subjects in research across over 4,000 institutions. HIPAA compliant emails allow the OHRP to communicate with Institutional Review Boards (IRBs) regarding research protocols while adhering to federal regulations.
Office for Civil Rights (OCR)
The Office for Civil Rights (OCR) enforces HIPAA regulations and guides compliance for covered health and research entities. HIPAA compliant emails allow the OCR to request PHI from covered entities during a breach investigation, streamlining the investigative process.
FAQs
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for safeguarding protected health information (PHI).
HIPAA mandates that healthcare providers, insurers, business associates, and some federal agencies safeguard patients' PHI during transit and at rest.
What makes an email HIPAA compliant?
An email is HIPAA compliant when it meets the HIPAA requirements for protecting sensitive health information. HIPAA compliant emailing platforms, like Paubox, offer encryption, access controls, and audit trails to safeguard protected health information (PHI) and mitigate data breaches.
Additionally, Paubox signs a business associate agreement (BAA) to ensure HIPAA compliance.
What should federal agencies do if they suspect a HIPAA breach?
If a HIPAA breach is suspected, federal agencies should follow their organization's incident response plan, which typically includes notifying the affected individuals, the HHS Office for Civil Rights, and possibly the media if the breach involves more than 500 people. All breaches must be documented and investigated to prevent future occurrences.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.