HIPAA-covered organizations must take every possible precaution to ensure protected health information (PHI) sent and received by email is safeguarded both at rest and in transit in order to prevent unauthorized access to patient data. Many organizations opt to use HIPAA compliant email providers to ensure proper controls are in place to ensure the confidentiality, integrity, and accessibility to protected health information (PHI).
There are a number of HIPAA compliant email providers that offer end-to-end encryption for messages. Some of these require software to be hosted on your own infrastructure; while others work provide a secure Software-as-a-Service service from the cloud. Changing email provider does not necessarily mean you have to amend your email addresses. Many services permit you to maintain your existing email addresses and send messages as you usually would from your desktop computer.
All HIPAA compliant email suppliers must ensure their solutions incorporate the security mechanisms required by the HIPAA Security Rule. The solutions need to include access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be safeguarded in transit 164.312(e)(1).
If an email service provider includes all of those things, the service can be considered HIPAA-compliant. However, it is also necessary for an email service provider to complete a contract with a HIPAA-covered entity in the form of a business associate agreement. Once this has been completed then can the email service be implemented.
HIPAA-covered organizations should remember that compliant use of the email service is not the responsibility of the service provider. The service provider must only ensure adequate safeguards are in place. It is the responsibility of the covered body to ensure the solution is configured properly, that staff are aware of how to use the email, and that they are familiar with the permitted uses and disclosures of PHI.
An email service alone will not meet all HIPAA requirements for email. Staff should also be educated on security awareness and be made aware of the threats that can be sent to their mailboxes. Technologies should also be in place to lessen the risk of email-based cyber attacks such as phishing. Some email service suppliers, but not all, scan inbound messages and block spam, malware, and phishing emails.
Is Encryption for Email Obligatory?
While HIPAA compliant email suppliers encrypt all emails during transmission, encryption is not mandatory. The HIPAA Security Rule only requires groups to assess the requirement for encryption. A HIPAA-covered organization does not need to encrypt emails if a different and equivalent control is used in place of encryption.
One such security measure for internal emails is the use of a secure email server placed behind a firewall. In such instances, once a risk assessment has been complete and the reasons for not encrypting emails has been recorded, encryption would not be necessary on all internal emails. Encryption would also not be required when sending emails to patients who have authorized an organization to communicate PHI with them via email.
However, since most healthcare groups need to file payment claims via email, contact other healthcare groups, and refer patients, it is necessary to send emails beyond the firewall. In such instances, encryption is the recommended solution.
There are serious dangers sending sensitive data via email. Email is not a safe way of sharing data. Emails are composed on a workstation or mobile device, sent from an outbound email server, travel through multiple routing points (at which copies of the email are made) to the recipient’s email server, before being delivered to the recipient’s inbox.
The Department of Health and Human Services (HHS) has already issue fines to organizations that have used non-compliant email services. Phoenix Cardiac Surgery paid a $100,000 HIPAA fine for using insecure Internet-based email.
HIPAA Compliant Email Suppliers
The following list of HIPAA compliant email providers has been compiled for your convenience. The list is not exhaustive. There are many other service suppliers that provide email services for healthcare groups that meet the requirements of HIPAA. However, the list below is a good place to begin.
Every one of the following suppliers offer a HIPAA-compliant email service and will complete a business associate agreement.
- Hushmail for Healthcare
- VM Racks
- Apsida Mail
- Protected Trust
- MD OfficeMail
- Delivery Trust from Identillect Technologies