Healthcare organizations often ask if they can use a Hotmail account to send protected health information. The HIPAA compliance of Hotmail is an important issue to covered entities that would like to use it as a means of communication. Hotmail is a free-to-use webmail service offered by Microsoft. But it’s now replaced by Outlook.com. If Hotmail is HIPAA-compliant, so is Outlook.com. The important question is – Is Hotmail HIPAA Compliant?
Not all email services are HIPAA compliant. To be HIPAA compliant, there are specific requirements. There should be security controls that stop unauthorized persons from accessing the account. Sent messages via the email service must be secure and cannot be intercepted. Access control, integrity control and transmission security control should be in place.
All email accounts are kept secure using a password, but that does not mean that sent message are secure. Messages must be encrypted in transit to be secured and not easily intercepted and read by hackers. HIPAA-compliant email services must encrypt messages sent outside the organization’s firewall. Encryption is not necessary if messages are only sent within the organization using a secure internal email server with firewall.
Hotmail is a webmail service so it is not protected by a firewall. It must offer security controls that prevent interception of messages. Hotmail uses HTTPS, which means that transferred messages from the browser to the Hotmail site are encrypted and secured in transit. However, Microsoft has a way to access the messages. Users should take note of that even if Microsoft has a disclaimer that says Microsoft does not scan the content of messages and will not sell the information to third parties like advertisers.
In order for an email service to be HIPAA compliant, it is also required to sign a business associate agreement with the email provider. Microsoft offers business associate agreements for Office 365, but Hotmail and Outlook are not included in Office 365. Microsoft does not provide business associate agreements for free consumer services like Hotmail. Hence, Hotmail is not considered HIPAA compliant. It cannot be used by HIPAA covered entities because it does not come with a signed business associate agreement. Gmail accounts and other free consumer email services are also not HIPAA compliant.
But is it possible to send PHI to a patient via his Hotmail account? HIPAA Rules do not allow the sending of PHI to patients via email, no matter what the email service provider is. However, if the healthcare organization first gets consent from the patient and the patient agrees, PHI can be sent via email to the patient. Just be sure that the patient is informed of the risk that email is not secure and the PHI sent may be intercepted and read by unauthorized individuals. The consent that the patient opted to receive PHI via email must be documented with authentication of the patient’s identity.