The Complete Guide to HIPAA Compliant Email
When it comes to sensitive medical information, patients have a reasonable expectation of privacy, as guaranteed by the Health Information Portability and Accountability Act (HIPAA). Enacted by the United States Congress in 1996, HIPAA is a key piece of legislation that protects patients’ private data against fraud and theft, and dictates how that information can be distributed.
Any health care organization that handles Protected Health Information (PHI) — defined by the U.S. Department of Health & Human Services (HHS) as any “individually identifiable health information held or transmitted by a covered entity or its business associate” — is required to conform to HIPAA regulations, with serious consequences for failure to comply.
The HHS defines covered entities and business associates as the following:
- Covered Entities: Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions
- Business Associates: A person or organization, other than a member of the covered entity’s workforce, that performs certain functions or activities on behalf of, or provides service to, a covered entity that involve the use or disclosure of individually identifiable health information
A key part of that compliance is communications. The HHS stipulates that PHI transmitted “in any form or media, whether electronic, paper, or oral” is subject to HIPAA regulations. As the ways in which we communicate have expanded to include digital communication platforms, such as social media, text messaging, and email, it has become increasingly difficult to adhere to HIPAA.
In this guide, we’ll focus specifically on HIPAA compliant email: the complexities of HIPAA email laws, how to avoid HIPAA violations and the consequences of failing to comply.
What Is HIPAA Compliant Email?
There’s no singular definition for a HIPAA compliant email — rather, a HIPAA compliant email is any electronically transmitted mail containing PHI that adheres to HIPAA regulations.
Although end-to-end encryption is a popular way to ensure that email communications conform to strict HIPAA email rules, HIPAA technically doesn’t require that emails containing PHI be encrypted. HIPAA does, however, require health care organizations to limit the amount or type of information sent via unencrypted email. It also requires organizations to restrict access to, protect the integrity of, and guard against the unauthorized access to PHI sent via email.
Another challenge organizations face is storing emails in a manner that is HIPAA compliant.
Imagine, if you will, a busy physician’s office. This office uses an automatic email archiving system that archives some emails containing PHI, along with a vast number of routine business emails that do not contain PHI. If the pooled archived material is stored in an unsecure manner, PHI might be readily available to anyone, which is a clear violation of HIPAA email rules. If the older pooled archived data is eventually discarded, PHI could be accidentally discarded in a way that also violates HIPAA, which takes us to our next point.
HIPAA has strict guidelines on how to dispose of PHI. PHI cannot be disposed of unless the individual identifying information is removed or destroyed. This is simple for paper records containing PHI, which can be shredded or incinerated before disposal, but more challenging for electronic communications. The HITECH government mandate complicated things even further by mandating that all medical practices demonstrate an effective use of computerized medical records.
Even health care entities that are careful to securely store and properly dispose of emails containing PHI can still accidentally violate HIPAA email compliance laws. After all, someone could be privy to protected information simply by catching sight of a computer screen. But what happens if an organization does inadvertently violate HIPAA?
The Consequences of Violating HIPAA
Government agencies can audit health care practices at any time to ensure HIPAA compliance, therefore, email practices intended to achieve HIPAA compliance must be painstakingly documented.
HIPAA email non-compliance was originally penalized with a fine of up to $250,000; with the implementation of HITECH Act standards and incentives in 2010, that amount has increased.
It’s worth noting that the disciplinary action for a HIPAA violation depends on the severity of the violation. According to HIPAA Journal, there are four tiers of civil penalties based on the level of knowledge that HIPAA rules are being violated and the course of action taken to restore compliance, ranging from $100 to $1.5 million. Violators may also be subject to criminal penalties, depending on the nature of the violation.
HIPAA Email Compliance Tips
Health care organizations should implement the following processes to ensure that they are doing everything within their power to avoid violating HIPAA email compliance laws:
- Restrict access to patient information through the use of specific password types or electronic identification of terminals within the medical department (essentially an electronic security clearance). Higher-level access is provided to the group who will be sending and receiving medical-related emails.
- Restrict inter-departmental access. For example, someone in the administrative office might need identifiers such as name and address in order to perform telephone or email satisfaction surveys. They might not need other medical information to do so.
- Establish employee access limits and clearly define guidelines. For example, a local celebrity who is seen in the clinic might prompt a lively conversation about why he’s there. However, accessing his protected information to satisfy curiosity is illegal, as is sending emails about his condition.
Instruct employees to always lock their computer screens whenever they’re away from their posts, even for a few moments. A gray screen is a great deterrent to “just sneak a peek” at an email that has been left open. Remember — even an accidental privacy lapse can constitute a violation. Instruct employees who share computers to sign off completely before permitting a co-worker to use the terminal.
Best HIPAA Compliant Email Providers
In addition to following the best practices listed above, health care organizations should also look to partner with a HIPAA compliant email provider. A HIPAA compliant email provider is any provider uses come form of encryption to secure messages at rest and in transit and that’s signed a business associate agreement (BAA) — a contract that stipulates that the provider agrees to observe HIPAA regulations.
Some of the leading HIPAA compliant email providers include:
- Egress
- Hushmail
- Identillect
- LuxSci
- MailHippo
- NeoCertified
- Paubox
- ProtonMail
- Virtru
Gmail’s free email service is not HIPAA compliant; however, its paid version is. This is because Google will only agree to sign a HIPAA BAA with paid customers. Therefore, it’s inadvisable to use the free version of Gmail to send or receive PHI lest you incur a HIPAA violation.
Ensure HIPAA Email Compliance with Email Archiving
Organizations can implement HIPAA-compliant email monitoring by using virtual email archiving appliances that archive all necessary files without compromising the integrity, access or transmission of that information.
While some email archiving solutions are difficult to implement and use in an organization with multiple locations, health care entities striving to maintain HIPAA email compliance can use top-tier solutions to monitor and enforce email content through the web browser interface. Email information can be stored indefinitely or purged as needed using unique search and retrieval functionality.
Virtual and hardware archiving appliances are a cost-efficient and easy-to-use way to ensure HIPAA compliant email and protect both organizations and patients from concerns over access, integrity and security.
For more information about Intradyn’s singular email solution, please contact us today.
This content was originally posted on February 6th, 2019; it was updated on December, 22nd, 2020.
Intradyn is not a legal professional, and this content should not be considered legal advice but rather a guide for FCC regulatory compliance.