HIPAA-covered bodies must guarantee protected health information (PHI) broadcast by email is safeguarded in order to prevent unauthorized people from intercepting messages, and many opt to use HIPAA compliant email providers to ensure proper controls are in place to ensure the confidentiality, integrity, and accessibility to PHI.
There are a number HIPAA compliant email suppliers to select that provide end-to-end encryption for messages. Many of these require software to be hosted on your own infrastructure; others manage everything. Changing email provider does not necessarily mean you have to amend your email addresses. Many services permit you to maintain your existing email addresses and send messages as you usually would from your desktop computer.
All HIPAA compliant email suppliers must see to it that their solution incorporates all of the security measures required by the HIPAA Security Rule. The solutions need to include access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be safeguarded in transit 164.312(e)(1).
If an email service provider includes all of those things, the service can be ruled as HIPAA-compliant. However, it is also required that an email service provider complete a contract with a HIPAA-covered entity in the form of a business associate agreement. Once this has been completed then can the email service be implemented.
HIPAA-covered bodies should remember that HIPAA-compliant email is not the charge of the service provider. The service provider must only ensure adequate safeguards are in place. It is the responsibility of the covered body to ensure the solution is configured properly, that staff are aware of how to use the email and are made aware of the permitted uses and disclosures of PHI.
An email service alone will not meet all HIPAA requirements for email. Staff should also be educated on security awareness and be made aware of the threats that can be sent to their mailboxes. Technologies should also be in place to lessen the risk of email-based cyber attacks such as phishing. Some email service suppliers, but not all, scan inbound messages and block spam, malware and phishing emails.
Is Encryption for Email Obligatory?
While HIPAA compliant email suppliers encrypt all emails being broadcast, encryption is not mandatory. The HIPAA Security Rule only requires groups to assess the requirement for encryption. A HIPAA-covered body does not need to encrypt emails, if a different and equivalent control is used in its stead.
One such security measure is the use of a secure email server placed behind a firewall. In such instances, once a risk assessment has been complete and the reasons for not encrypting emails has been recorded, encryption would not be necessary on all internal emails. Encryption would also not be required when sending emails to patients who have authorized a covered body to correspond with them via email.
However, since most healthcare groups need to file payment claims via email, contact other healthcare groups and refer patients, it is necessary to broadcast emails outside the protection of the firewall. In such instances, encryption is required.
There are serious dangers sending sensitive data via email. Email is not a safe way of broadcasting data. Emails must be initiated on one machine, be sent to an outbound email server, traverse the Internet, land on the recipient’s email server, before being broadcast to the recipient’s device. Duplicates of emails can be on at least four different devices, and messages can easily be intercepted while being broadcasted.
The Department of Health and Human Services (HHS) has already applied fines to covered bodies that have used email services that do not adhere with HIPAA requirements. Phoenix Cardiac Surgery paid a $100,000 HIPAA fine for using insecure Internet-based email.
HIPAA Compliant Email Suppliers
The following list of HIPAA compliant email providers has been compiled for your convenience. The list is not exhaustive. There are many other service suppliers that provide email services for healthcare groups that meet the requirements of HIPAA. However, the list below is a good place to begin.
Every one of the following suppliers offer a HIPAA-compliant email service and will complete a business associate agreement.
- Hushmail for Healthcare
- VM Racks
- Apsida Mail
- Protected Trust
- MD OfficeMail
- Delivery Trust from Identillect Technologies