HIPAA Compliant Email: The Definitive Guide

HIPAA Compliant Email: A Definitive Guide

Last updated: 25 January 2023

Welcome to the definitive guide on HIPAA compliant email.

This guide will provide you with a thorough understanding of the requirements for HIPAA compliant email and the steps you can take to ensure your organization is in compliance.

We will cover topics such as what to look for in a HIPAA compliant email solution, email encryption methods, HIPAA violations and fines, and an FAQ section you won’t find anywhere else.

This guide is intended for healthcare professionals, IT staff, and anyone else responsible for maintaining or acquiring a HIPAA compliant email solution.

By the end of this guide, you will have the knowledge necessary to confidently use email for healthcare communication while ensuring the protection of PHI.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was enacted in 1996. It sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI). The law applies to health plans, healthcare clearinghouses, and certain healthcare providers that conduct certain financial and administrative transactions electronically, such as billing and claims submissions.

HIPAA includes two main rules: the Privacy Rule and the Security Rule. The Privacy Rule establishes national standards for protecting the privacy of PHI. It specifies how PHI can be used and disclosed, and gives individuals certain rights with respect to their PHI. The Security Rule establishes national standards for protecting the security of electronic PHI. It specifies administrative, physical, and technical safeguards that covered entities must implement to secure ePHI.

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Protected health information (PHI)

Protected health information needs to be protected in all mediums: electronic, paper, and oral. PHI isn’t just confined to medical records and test results. In fact, any information that can identify a patient and is used or disclosed during the course of care is considered PHI. Even if the information by itself doesn’t reveal a patient’s medical history, it is still considered PHI.

A related term is ePHI, which stands for electronic protected health information. The terms can be used interchangeably when referring to HIPAA compliant email.

Covered entities and business associates

HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

Business associate agreement

business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

At a minimum, a BAA must include ten provisions.

HIPAA compliance and email

To ensure HIPAA compliance when using email, it’s imperative to use secure email solutions that encrypt messages and attachments in transit and at rest.

It’s now a common practice to use an email service provider like Google Workspace or Microsoft 365 to maintain the hosting of your organization’s email, while using a separate company to provide additional protection like email encryption, security, data loss prevention, and backups.

See related: Can I use Google Workspace (G Suite) and be HIPAA compliant?

See related: Is Microsoft 365 HIPAA compliant?

What to look for in a HIPAA compliant email solution

Here’s what to look for in a HIPAA compliant email solution:

  • How is email encrypted in transit?
  • How is email encrypted at rest?
  • Will each vendor that processes or handles PHI in email sign a business associate agreement with your organization?
  • As a best practice, is the HIPAA compliant email solution HITRUST CSF certified?

HIPAA violations and fines

The penalties for a HIPAA violation can be severe. Both civil and criminal penalties can be enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

In general, breaches that fall under reasonable cause range from $100 to $50,000 per breach. Willful neglect cases range from $10,000 to $50,000 and often result in criminal charges being brought against the people involved.

This chart that shows how civil penalties can reach a maximum of $1.5 million per violation:

ViolationMinimum PenaltyMaximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect$1,000 per violation, with an annual maximum of $100,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period$10,000 per violation, with an annual maximum of $250,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected$50,000 per violation, with an annual maximum of $1.5 million$50,000 per violation, with an annual maximum of $1.5 million

Criminal penalties can also be applied when HIPAA violations are knowingly committed with increases in the fine per violation and imprisonment.

Criminal penalties are divided into three tiers:

TierPotential Jail Term
Reasonable cause or no knowledge of violationUp to one year
Obtaining PHI under false pretensesUp to five years
Obtaining PHI for personal gain or malicious intentUp to ten years

Read more: The complete guide to HIPAA violations

Paubox HIPAA Breach Report

The Paubox HIPAA Breach Report analyzes protected health information (PHI) breaches affecting 500 or more people as reported to the Department of Health & Human Services (HHS).

Paubox has been compiling a monthly HIPAA Breach report since June 2017. Since that time, the data clearly shows email breaches are statistically the most likely entry point for organization to suffer a HIPAA breach.

Email encryption methods

There are four approaches to encrypting email:

  • Transport Layer Security (TLS)
  • PGP and S/MIME
  • Portals
  • Apps

FAQ

Here are some frequently asked questions about HIPAA compliant email.


Q: When does my HIPAA liability end when sending email?

A: Once an email has been delivered to the end recipient’s system using encryption, the covered entity or business associate has fulfilled their obligations for the HIPAA Privacy Rule.

Read more: How do I know when my HIPAA privacy obligation for email encryption ends?


Q: Does the subject line of an email have to be encrypted?

A: If the subject line contains ePHI, yes it must be encrypted. It should be noted that it is not the responsibility of a healthcare provider to assure that incoming email is encrypted (although many organizations like having this feature).

Read more: Does an email subject line have to be HIPAA compliant?


Q: Does the email message header have to be encrypted?

A: An email message header includes fields that provide information about the sender, recipient, and routing of the message.

Some common email header fields include:

  • From: the email address of the sender
  • To: the email address of the primary recipient
  • Subject: the subject or topic of the message
  • Date: the date and time the message was sent
  • Cc: (carbon copy) list of recipients who are to receive a copy of the message
  • Bcc: (blind carbon copy) list of recipients who receive a copy of the message without the other recipients being aware
  • Reply-To: the email address that should be used when replying to the message
  • Message-ID: a unique identifier for the message
  • In-Reply-To: the Message-ID of the message that this message is a reply to
  • References: a list of Message-IDs for messages that this message is related to

As you can see, there are myriad instances in which PHI can be inserted into a message header. You should therefore be encrypting email message headers as a best practice.


Q: Do all email encryption methods encrypt a message header?

A: Email sent via Transport Layer Security (TLS) does encrypt the message header while it’s in transit across the internet.

Email sent using PGP and S/MIME however, do not encrypt the message header.

If we already know it’s likely message headers will invariably contain PHI, we can conclude PGP and S/MIME are not sufficient forms of encryption for HIPAA compliant email.


Q: Why isn’t PGP more widely used to encrypt email?

A: PGP (Pretty Good Privacy) is a widely used standard for email encryption, but it is not as widely adopted. Here are several reasons why:

  1. Complexity. PGP requires users to generate and manage their own public and private keys, which can be a complex and time-consuming process for non-technical users.
  2. Lack of Integration. PGP requires additional software and plugins to be installed in order to work with most email clients, which can be a barrier to adoption for some users.
  3. Security concerns. PGP has been criticized for having numerous security vulnerabilities in the past, which has led to some organizations being hesitant to adopt it.
  4. Ease of use. PGP is not as user-friendly as some other encryption methods, which can make it less appealing.

Q: Does PGP email still have security vulnerabilities?

A: PGP has had a number of notable security vulnerabilities identified over the years. They include:

  1. EFAIL. In May 2018, a group of researchers discovered a vulnerability in the way PGP and S/MIME handle email encryption, known as EFAIL. It allows attackers to read the plaintext of encrypted emails by intercepting, manipulating, and then re-encrypting the ciphertext. Ciphertext is the result of encryption performed on plaintext using an algorithm.
  2. Key-pair collision. PGP uses a hash function to generate a “fingerprint” of a public key, which is used to identify the key. In 2017, it was discovered that it’s possible to generate two distinct keys with the same fingerprint, which could be used to impersonate someone else’s key.
  3. Key-server vulnerability. PGP relies on key servers to distribute public keys. In 2011, a vulnerability was discovered that could allow an attacker to upload a malicious key to a key server, which could then be used to impersonate someone else.
  4. Malicious Key. PGP relies on users to verify the authenticity of public keys before using them to encrypt messages. In some cases, attackers have been able to trick users into using a malicious key, which could allow them to decrypt the messages.

It should be noted most of these vulnerabilities have since been addressed by the PGP community and vendors.

Read more: PGP and S/MIME aren’t as secure as you think


Q: Are email attachments encrypted?

A: Yes. Email attachments encrypted by either TLS, PGP, or S/MIME will be encrypted in transit.


Q: Am I responsible for incoming emails to be HIPAA compliant?

A: HIPAA does not require covered entities and business associates to encrypt their inbound email. To maintain HIPAA compliance, healthcare organizations need to implement technical safeguards for outbound email that contains PHI. The best technical safeguard is using encryption.

Read more: Do you need inbound email security to be HIPAA compliant?


Q: If I password protect an email attachment, does that make it HIPAA compliant?

A: The guidance from HHS is clear, forgoing encryption and only using password protection for a document (or an entire hard drive for that matter) is not sufficient and has already led to publicized HIPAA fines.

Therefore, using only password protection for attaching a document via email is not a HIPAA compliant approach and should be avoided.

Read more: Is my password-protected PDF document HIPAA compliant?


Q: Is it HIPAA or HIPPA?

A: People often confuse HIPAA email and HIPPA email. Therefore, it’s easy to Google HIPPA compliant email or HIPPA email. In short, Google is smart and knows the correct spelling while pointing you to the right pages by default. In a nutshell, “HIPPA compliant email” or “HIPPA email” are not correct. “HIPAA compliant email” or “HIPAA email” are the correct search terms.


Q: What versions of Transport Layer Security encryption are considered secure?

A: In January 2021, the NSA issued the following guidance:

“The National Security Agency (NSA) emphatically recommends replacing obsolete protocol configurations with ones that utilize strong encryption and authentication to protect all sensitive information… Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries.”

Furthermore:

“NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 not be used.”

Following NSA guidance, here’s a list of security protocols supported by Paubox:

  • SSL v2 (Not Supported)
  • SSL v3 (Not Supported)
  • TLS 1.0 (Not Supported)
  • TLS 1.1 (Not Supported)
  • TLS 1.2 (Supported)
  • TLS 1.3 (Supported)

Read more: Paubox eliminates obsolete TLS protocols, follows NSA guidance


Q: Do international companies need to abide by HIPAA?

A: If an international company handles or transmits PHI of U.S. citizens, it is subject to HIPAA regulations.

Read more: Do international companies have to abide by HIPAA?


Q: Does email qualify under the HIPAA Conduit Exception rule?

A: The HIPAA Conduit Exception Rule was created by the HIPAA Privacy Rule in December 2000. In a nutshell, the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form). Since every email account has email stored in it, this would preclude it from being a transmission-only service.

In summary, email does not qualify under the HIPAA Conduit Exception rule.

Read more: HIPAA Conduit Exception Rule – what is it?


Q: Can a covered entity or business associate use a consumer email service provider like Yahoo or Hotmail?

A: As we’ve covered, a business associate agreement is required for any vendor handling or processing PHI on behalf of a covered entity or business associate. We have not found a single consumer email service that provides a BAA. Therefore, using a provider like Yahoo or Hotmail is not HIPAA compliant and should be avoided.

Read more: Is Yahoo HIPAA compliant?

Read more: Is Hotmail HIPAA compliant?


Q: What is HITRUST?

A: HITRUST is a standards development organization that was founded in 2007. It develops and maintains a healthcare compliance framework called the HITRUST CSF. The HITRUST CSF is designed to unify security controls from federal law (HIPAA), state law, and non-governmental frameworks (PCI-DSS) into a single framework that’s tailored towards use in the healthcare industry.

Paubox solutions have been HITRUST CSF certified since 2019.

Read more: Paubox renews, expands HITRUST CSF certification through 2023


Q: Does Paubox have patents for its work on encrypted email?

A: Yes, Paubox currently has four patents.

Read more: U.S. Patent Office approves our approach to email encryption


Q: What is the HHS Notification of Enforcement Discretion and does it apply to email?

A: When the pandemic first hit in March 2020, the U.S. Department of Health and Human Services (HHS) quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available audio or video communication apps without the risk of incurring HIPAA fines.

This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”

Email is not in scope of the HHS Notification of Enforcement Discretion act. It applies only to non-public facing audio and video communication services.

See also: HIPAA privacy and security guidelines as they relate to telehealth

About the author

Hoala Greevy

Founder CEO Paubox. Kayak fishing when I can.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport
EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport