Is Email HIPAA Compliant?
When sharing patient health information, whether it be with the patient themself or another provider, it is absolutely crucial that you maintain HIPAA-compliance. If you use an EHR or patient portal built for healthcare providers, it is more than likely your patients’ information is being kept safe and your business is HIPAA-compliant. However, when you begin to venture outside of software built specifically for healthcare, it is less likely that they have safeguards in place to protect personal health information.
Using email to share patient information while maintaining HIPAA-compliance is a somewhat confusing practice for healthcare providers. The regulations determined by the Department of Health and Human Services surrounding email are somewhat vague, leaving healthcare practitioners unsure of how to properly protect their patients’ information, and avoid a HIPAA violation that could come with thousands of dollars in fines.
Here, we’ve broken down exactly how healthcare providers can make sure their emails are HIPAA compliant and which servers are best to use within their business.
The Risk of Sharing PHI Over Email
Overall, the Security Rule does not expressly prohibit the use of email for sending personal health information. However, there are a variety of security standards in place under this rule that require covered entities to protect PHI traveling over email. In 2019, there were 418 recorded HIPAA breaches, with email accounting for 39% of these breaches. Within the email breaches, human error accounted for the majority of these violations. Therefore, the HHS is strictly enforcing their ever-tightening regulations regarding HIPAA-compliant email.
HIPAA requires that PHI remains secure both at rest and in transit. This means that your patients’ information must be protected not only while sitting on your computer in a draft, but also once that information travels to the next party over email. Along an email’s journey from sender to recipient, there are multiple points where a security breach could occur, leaving PHI vulnerable. As previously mentioned, the email is first created on the sender’s workstation, then sent from there to the sender’s email server, then to the recipient’s email server, and then downloaded onto the recipient’s workstation. A copy of the email is stored on each machine it travels to as well.
HIPAA Capable vs. HIPAA Compliant Emails: Ensuring Compliance
While many email servers are capable of being HIPAA-compliant with extra effort from the user, most are not inherently compliant at first use.
Business Associates Agreement
The first step in ensuring compliance with an internet-based email service is to have the company sign a Business Associate’s Agreement with you. According to HHS, a business associate is “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to a covered entity that involve access by the business associate to protected health information.” The contract will describe how the third party protects and secures the PHI to which they have access, and outline the “uses and disclosures of the protected health information by the business associate.”
Both Microsoft and Gmail are willing to sign BAAs with qualifying companies; however, a BAA only goes so far in protecting PHI. The covered entity is still responsible for ensuring the business associate does their part to protect the health information. Additionally, a BAA only covers the associate’s server, not any other email servers the information may be sent to. Therefore, the covered entity is still responsible for protecting personal health information beyond the associate’s server. If found in violation of HIPAA, both parties are liable for the fines that ensue.
For current Healthie members: you can view a copy of Healthie’s Business Associate’s Agreement (BAA) here.
Encrypting emails that contain personal health information is a crucial step in maintaining HIPAA-compliance. Encrypting an email is the process of disguising part of an email that contains potentially sensitive information, in order to protect it from being read by anyone other than the intended recipients. For healthcare providers, this means if there is personal health information in the body of the email, it must be encrypted.
Sending emails to patients containing their own personal health information follows slightly different rules than general email compliance. Some patients may choose not to receive encrypted emails. In this case, the HHS recognizes that covered entities are permitted to send their patients unencrypted emails if they have advised the individual of the risk and they still choose to not have the email be encrypted. Therefore, covered entities are not responsible for unauthorized access of PHI during transmission or for protecting the information once it reaches the patient.
In-office emails, i.e. emails that are sent on your own secure server, do not need to be encrypted. These emails should already be protected under the BAA you sign with your email server. For emails between practitioners, unless the other provider is within your office and uses your network and email server, it must be encrypted. If you ever use your personal email to send information back to your work email, both emails must be encrypted. It is recommended that you avoid mass emails, unless you can use an external, HIPAA-compliant service.
Some email platforms have encryption built into their software, while some may require you to make use of a third-party encryption software.
Which Email Platforms are HIPAA-Compliant?
Gmail: Google has stated that their individual users are responsible for determining whether their business needs to maintain HIPAA compliance over email. As we mentioned earlier, Google can support HIPAA-compliance for those customers who sign a BAA with them. Users still must take extra steps to ensure encryption: Gmail does have S/MIME encryption built into the app, but it only works if both the sender and the receiver have it enabled. You can read instructions on enabling encryption for Gmail here.
Outlook: Microsoft has stated that Outlook was built for typical consumers to send email, and does not endorse it for HIPAA-compliant communications. However, they will sign BAAs with eligible companies, and like Gmail, Outlook has S/MIME encryption built into the platform. You must enable it following the instructions here.
iOS: You can also encrypt emails sent from your iOS device, by going to advanced settings and switching on “S/MIME.” Simply change “Encrypt by default” to yes, and the next time you go to compose a message, a lock icon will appear next to the recipient. Click this to ensure message encryption.
Platforms such as AOL, Yahoo, or Android require third-party encryption services.
Using Healthie for HIPAA-Compliant Email
Healthie's platform automates emails to clients, to save providers time on back-office administrative tasks. Providers can customize a variety of automated emails to their clients, including:
- Welcome Emails
- Appointment Confirmations
- Appointment Reminders
- Package Purchased
- Program Emails
Clients can also get emails when their provider sends them a message through our HIPAA-compliant portal. With Healthie, you can always be sure your patient’s personal health information is kept safe, and that your wellness business is protected from any potential security breaches. Read more on Healthie’s privacy and security measures here.
Stay Updated with Healthie
Sign-up to our newsletter.