Email and HIPAA Compliance

‍

How to use Email and Be HIPAA Compliant

Email is important. All industries and office types use it for all forms of communication whether that is between two coworkers, from CEO to the whole company or between two different organizations . This is just as true with organizations in the healthcare industry as it is with other businesses. Healthcare providers and their business associates want and need to be able to use this platform to quickly communicate, except the sensitive information they share requires a whole different level of encryption and protection. This has been the root of tons of HIPAA related questions about whether email can meet HIPAA compliance requirements and what needs to be done to properly protect PHI in email. 

The Health Insurance Portability and Accountability Act was passed in 1996 to set the standards for protecting an individual’s identifiable health information from unauthorized access or disclosure. This protected health information (PHI), is important to keep secure because it can contain personal data such as security numbers, insurance ID number, home address and date of birth. HIPAA requires that all forms of PHI are protected in order  to prevent it from ending up in the hands of someone with malicious intent. HIPAA’s requirements, which are laid out through the Privacy and Security Rules, mandate that healthcare providers and other HIPAA covered entities use certain precautions and safeguards in order to be compliant with the law. This has left lots of people wondering how HIPAA applies to using email. 

Does HIPAA allow email to be used? 

Yes, although HIPAA does have strict requirements and restrictions for healthcare providers, the Privacy Rule does allow email to be used to communicate with coworkers or patients. However, these allowed emails must happen after certain safeguards have been applied so that the security of PHI, or protected health information is ensured. 

What does a HIPAA compliant email look like? 

As with any sensitive information, the most secure way to share it is in-person and in private. However, just as with any other industry, healthcare providers cannot realistically share all the necessary information in this way. Therefore, we will lay out what it means to send a HIPAA compliant email and all the steps that should be taken. Emailing protected health information without proper encryption and software could easily result in a breach of PHI which comes with costly penalties for the organization at fault. 

Encryption Requirements

The most important  term when it comes to HIPAA and email is encryption. It is not only one of the elements of making email HIPAA compliant, but it is vital to maintaining overall compliance. Proper encryption ensures even if an email containing PHI is intercepted, that the contents and PHI will be safe from any harm. As it must be protected along its way, PHI but be entirely secure on either end of its disclosure. Encryption is the guarantee that data will be safe while at rest and while it is being shared. 

Not all forms of encryption provide the same level of protection for the information. HIPAA covered entities must use third-party encryption programs. These softwares can ensure that any text or attachments to an email can be individually encrypted for maximum security. 

Patient Email Approval 

After discussing all of the requirements and expectations for encryption on PHI in email, it is also worth noting that healthcare providers are allowed under HIPAA to send PHI via an unencrypted email if the patient has been made aware of all of the risks and chooses to allow that anyway. If the individual has given consent for their information to be sent without encryption, the HIPAA organization will not face penalties for this. For your own protection, be sure to keep documentation of that patient’s approval of this alternate form of information sharing. 

Secure Message Portals 

Certain healthcare organizations are able to provide a secure, HIPAA compliant patient portal to store information in. This is an alternative to sending PHI directly within the email while still having easy communication with the patient. In this case, the patient would receive an email that there is an update or message for them on the portal. Once they have gained access to the portal via the secure log-in system, they will be able to view any message or information. Since the PHI is kept within the portal, it takes away the requirement for the email to be encrypted.There are services such as eDossea or BrightSquid. 

What Email Platforms are HIPAA Compliant? 

Most email platforms like Gmail and Yahoo, can be HIPAA compliant, but it is not automatically guaranteed that it will be when sending a traditional email. If you are a HIPAA covered entity, make sure to do research and take any additional steps necessary to make your chosen email platform fully HIPAA compliant. 

Related: Directory of HIPAA Compliant Email Providers

As with any vendors or softwares that are used, HIPAA covered entities must be sure to sign a business associate agreement with their chosen email platform. This will ensure liability on both parties in the event of a breach. Luckily, as long as business associate agreements are signed and third-party encryption software is utilized, healthcare providers can send PHI via email, in a HIPAA compliant way. 

We understand that email is important for use within your healthcare organization and that HIPAA presents additional challenges. That is why we are here to answer your questions and simplify the complicated law that is HIPAA. It can be complex, and the penalties to noncompliance are high, so don’t take any chances! Accountable was created as a platform that lays out all the necessary policies and tools that you need to make sure your organization is fully HIPAA compliant. Take a step towards HIPAA compliance today!