Email is one of the most useful tools for helping businesses work efficiently. Being able to send information, documents, and invoices electronically saves time and money.
However, not all email accounts or communications are secure. For healthcare organizations or anyone working with healthcare information, that can be a problem. In 1996, the United States government enacted the Health Insurance Portability and Accountability Act (HIPAA) to address the issue.
In order to make sure that you're in compliance with the law, specifically the parts that apply to email communications, there are a few steps you need to take. We've gathered some information here to help you start understanding and implementing HIPAA-compliant email service.
As with any legal topic, none of the information in this article should be considered legal advice. Consult with a legal expert and follow all appropriate rules and regulations.
All about the Health Insurance Portability and Accountability Act (HIPAA)
Before you can implement HIPAA-compliant email solutions, it's important to understand what HIPAA is and why it was enacted.
What is the Health Insurance Portability and Accountability Act (HIPAA)?
HIPAA protects individuals' health information and establishes rules to protect that information. HIPAA contains a number of provisions related to privacy, security, and accessibility—all designed to make sure that individually identifiable health information isn't shared with anyone unauthorized to see it.
Why was HIPAA enacted?
HIPAA was passed to increase the protection of patient privacy, improve fraud prevention, and standardize certain administrative processes and tracking information. HIPAA is designed to shield individuals from having their personal health information used in ways that are discriminatory or fraudulent and to ensure that appropriate security measures are in place to prevent that. It also makes health insurance more portable in the case of job loss or change.
HIPAA-covered entities
HIPAA rules must be followed by covered entities, which are health plans, healthcare clearinghouses, and healthcare providers who conduct some financial and administrative transactions electronically.
In addition, the law covers any individual or company that provides services to a covered healthcare entity when they have access to health information. That may include law firms, billing companies, and record storage services, among others.
Three key rules for HIPAA compliance
HIPAA includes comprehensive protections for health information. Three of the HIPAA rules are particularly important for email security and privacy. Before you implement a HIPAA-compliant email solution, make sure you understand what the law requires.
HIPAA Privacy Rule
The first component of HIPAA, the Privacy Rule, protects individuals' medical records from being released to, accessed by, or used by non-covered entities. It covers all types of communication—electronic, paper, and oral.
There are limited exceptions, including information requested by an individual or their authorized representative and as part of a law enforcement action. Using HIPAA-compliant email ensures that you've taken one of the most important steps in preventing sensitive information from being accessed by anyone without authorization.
HIPAA Security Rule
The HIPAA Security Rule pertains to how health information needs to be protected. It requires covered entities to put in place several types of safeguards:
- Administrative safeguards manage security measures, including risk assessment, workplace training, and information access management.
- Physical safeguards include facility access control as well as workstation and device security.
- Technical safeguards include information integrity and transmission security.
HIPAA Breach Notification Rule
In addition to taking steps to protect the privacy and security of health information, covered entities must notify certain people and organizations when there is a security breach of health information. Notified parties must include the affected individuals, the U.S. Department of Health and Human Services, and even the media for breaches impacting more than 500 people. This ensures that as many people as possible are made aware of the breach, even if their contact information is out of date.
HIPAA violation penalties
The penalties for violating HIPAA regulations can be severe and may include both civil and criminal penalties. The exact penalties depend on what the violation is, whether the violation was committed knowingly, and its severity. Using an email encryption service and making sure your procedures for dealing with messages that contain protected health information are HIPAA compliant are important steps you can take to avoid severe penalties.
What counts as protected health information (PHI)?
The HIPAA Privacy Rule protects all individually identifiable health information. This is known as protected health information (PHI). It is any information that can be linked to an individual through demographic data like name, address, patient account number, or anything else that makes it possible to determine to whom any information belongs.
The type of information that's covered by the HIPAA Privacy Rule includes several categories.
Physical or mental health conditions
HIPAA compliance rules cover both physical and mental (or behavioral) health conditions. In addition, HIPAA covers health conditions in any timeframe—past, present, and future.
Healthcare provided to an individual
Covered entities must also protect against sharing any information about an individual's healthcare. This includes things like lab tests, prescriptions, surgeries, and any other provided services.
Payment for healthcare
The HIPAA Privacy and Security Rules also cover any information about payment for healthcare. This information includes billing statements, insurance information, payment history, and any payment authorization forms.
Identifying information
Any information that can be used to identify a specific person is considered protected health information under HIPAA and should be protected in all communications to maintain HIPAA compliance.
There are 18 different types of identifying information, including obvious items like names and social security numbers. PHI also includes less obvious items like finger or voice prints, vehicle identification information, and any other characteristic that could be used to identify someone, even if it's not specifically listed.
Non-protected health information
Not all health information is considered PHI. Employee records, even if they include some health information collected for work-related reasons (like blood types of hospital employees), are not PHI. Nor are educational records, even if they include information like allergies or disabilities.
Health provider appointment records are also not covered since there is no medical information associated with the appointment itself. Once a person becomes a patient, however, then there is personal and identifiable medical information linked to their name.
HIPAA email requirements
Along with understanding what HIPAA is and what it covers, it's important to look at what email procedures need to be in place for entities covered by the law.
Email has become a more and more common way for patients to communicate with their healthcare providers and for organizations that collect and use health information to transmit it for legitimate purposes. HIPAA rules include several important requirements to keep health information transmitted via email private and secure.
Business associate agreement
Any person or business that will provide services to a covered entity is considered a business associate. This includes any business providing email services.
If that business associate provides any services that involve the use of PHI, they must have a business associate agreement. This agreement is a legal document that ensures they will abide by HIPAA Privacy and Security Rules. It must include information such as the purposes for which the business associate may use or disclose PHI, the security measures that will be used, and information about any subcontractors who may have access to PHI (who are also required to safeguard PHI).
Retention
HIPAA requires covered entities to keep copies of any electronic communications, including emails that include patient data, for 6 years. These electronic records must also be encrypted so that they safeguard electronic protected health information.
Access
Although it's important to protect PHI from anyone who's not authorized to use or view it, HIPAA also requires covered entities to make sure the information is accessible to patients and their authorized representatives.
So, while your email archive system should be secure, it should also be well organized and accessible by authorized users so that when a legitimate need to retrieve archived email communications arises, you can do so easily and safely.
Encryption
Email encryption is a way of protecting email messages and preventing anyone unauthorized from accessing and reading the information they contain. Encryption works by encoding the message and then unscrambling it when it reaches the recipient's inbox.
Many healthcare organizations are surprised to learn that encryption of email is not strictly required. However, HIPAA does require that if emails are not encrypted, they be secured with an equally effective method. In most cases, encrypted email is the easiest and most effective way to achieve the necessary level of security.
Elements of email security
Email security is the process of protecting email messages from being intercepted and read by anyone not authorized to do so. While the contents of an email can be protected through encryption, encryption alone is not sufficient for email to be considered HIPAA compliant.
Connection
It's important to make sure that any secure messages containing PHI are sent over a secure connection. Never use an unsecured connection like public WiFi networks and don't share your internet connection information or password with unauthorized users like visiting patients or clients who do not have authorization to access PHI. If you want to offer a WiFi network for these users, consider a guest network separate from the secure one you use for sending PHI.
In transit
While your email system may be secure, emails and the PHI they contain are also vulnerable while in transit to the recipient's inbox. You can ensure the strongest possible transmission security by using a HIPAA-compliant email service that uses end-to-end encryption.
Storage
Because of HIPAA requirements that emails must be stored for a minimum of 6 years, make sure your email system uses a secure email archiving service. The email client should also conduct regular security audits to ensure that encrypted emails remain inaccessible to anyone who is not authorized to access them.
Attachments
Sometimes the PHI only exists as an email attachment. For example, if a healthcare provider is sending X-rays or test results and the results or identifying information are not present in the body of the email, only the attachment needs technical safeguards.
Popular email services are not HIPAA compliant
In general, popular and widely used email services are not HIPAA-compliant. These services lack adequate security measures to encrypt messages to HIPAA standards. In addition, the services themselves usually don't provide business associate agreements to their users.
Gmail
You may already use Gmail and want to stay with the Gmail system to send HIPAA-compliant emails. While a basic free Gmail account isn't HIPAA compliant, Google Workspace for Healthcare (which charges a monthly fee per user) does support HIPAA compliance. In addition, it offers features specifically useful for the healthcare industry like collaboration tools for healthcare organizations and virtual care options.
Outlook
While the basic, free Microsoft Outlook email service is not HIPAA compliant, it is possible to use Outlook for HIPAA-compliant email by subscribing to Microsoft Office 365, which has services specifically designed for healthcare organizations.
iCloud Mail
Like many other popular email services, Apple's iCloud Mail is not HIPAA compliant. While it does provide robust security for the transfer of sensitive information, iCloud’s terms and conditions state that PHI cannot be sent via iCloud Mail because there is no signed business associate agreement in place.
Yahoo, AOL, Hotmail, and others
Like other email services, Yahoo, AOL, and Hotmail are not HIPAA-compliant email providers. There are some third-party HIPAA-compliant email services that work with these companies, but you may consider upgrading to a HIPAA-compliant email provider instead.
Things to consider when choosing a HIPAA-compliant email provider
There are so many email services out there. If you are a healthcare provider or person who needs to send HIPAA-compliant email, the options can be overwhelming. Following are some things to keep in mind when you're looking at HIPAA-compliant solutions and encrypted email services.
Uses high-quality encryption
Make sure you use an email service that provides HIPAA-compliant email encryption that ensures only the sender and recipient access the information.
Lets you keep your current email addresses
Many people have been using the same email addresses for some time and would find it time-consuming and inconvenient to change. There are services that can make your email HIPAA compliant without requiring you to completely change email accounts.
Virtru is one service that works as a third-party add-on to the free versions of popular email providers like Outlook and Gmail, meaning you and your staff can keep your email accounts while adding on increased security.
Offers comprehensive customer support
As a business, you know that good-quality customer support is vital for any product or service. If your email service isn't working properly, it can affect your customers and your bottom line.
It's even more important to have access to fast and convenient customer support when you're sending encrypted emails. You want to ensure that any questions or concerns can be addressed immediately.
Check to see if your HIPAA-compliant email provider has good customer support and if they will notify you in the event there is a security problem with any of your messages or their mail servers. For example, Identillect, which offers encrypted email services, has 24/7 customer support services.
Agrees to sign a business associate agreement
A high-quality encryption service alone isn't sufficient to meet HIPAA requirements. Since you also need a business associate agreement from any other entities that may have access to PHI, make sure that any encrypted email service you use can provide this important document.
Proton Mail offers customers a free account with basic security features and the ability to get a business associate agreement with a simple email message.
HIPAA-compliant email best practices
While finding a HIPAA-compliant email provider is the first step, PHI security should be an ongoing concern.
You should take proactive steps to make sure that you can send and receive totally secure emails and that your business continues to be HIPAA compliant. The following steps will help you keep sensitive information safe and make any changes or updates as necessary.
Train, educate, and refresh
HIPAA email compliance can seem like a complicated issue at first. Don't rely on your staff or contractors to figure it out for themselves. Ensure that everyone who deals with protected health information has training about what HIPAA requires and how to comply with the rules.
Stay on top of changes. Once you have your HIPAA email compliance plan in place, your work isn't done. Keep providing your staff with new opportunities to learn about developments in HIPAA compliance and refresh their skills, especially if something in your organization has changed.
Did you start using a new email service? Take on a new customer base? Those are great times to refresh everyone's knowledge and ensure that your procedures and processes are still protecting health information privacy and security.
Don't rely on a disclaimer
Although it's easy to find sample texts of HIPAA disclaimers online, they're not enough to cover you in case of a HIPAA violation. Instead, make sure your business actively stays HIPAA compliant and uses secure email solutions.
Keep security updated
Unfortunately, as soon as security systems are updated with the latest and most advanced security techniques, hackers are working to break in. Companies that provide data security and email encryption like HIPAA-compliant email services are constantly working to update their security protocols and to make sure that secure measures stay secure.
You can do your part by reading any information your HIPAA-compliant email service sends you, installing security updates right away, and paying attention to any unusual activity in your email account. If you notice any problems, alert your email service provider to help them stop problems before they grow.
Final words
Most organizations rely on email to communicate. It's a simple and convenient way to transmit important information and keep in touch with patients or clients. You can follow important regulations by using a HIPAA-compliant email platform that will protect both your organization and patients' health information.
Whether you decide to use a solution that works with your existing email provider or switch to one that's already HIPAA compliant, take the steps today to ensure that every email message you send is a secure message and that only the intended recipient has access to their protected information.
Email security is something to take seriously, but it doesn't have to be complicated. Now that you have an understanding of what HIPAA-compliant email is and its importance, you can choose an email client software program that works for you.