The HIPAA email rules are that covered entities and business associates must ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted by email, protect against threats and hazards to the security of PHI in emails, and protect against uses and disclosures of PHI in emails not permitted by the Privacy Rule.
The HIPAA email rules above are a modified version of §164.306(a) of the Security Rule. There is no single section of the HIPAA Administrative Simplification Regulations that stipulates the requirements for HIPAA compliant email. As such, the “HIPAA email rules” is an umbrella term covering the relevant standards and implementation specifications of the General Provisions and the Privacy, Security, and Breach Notification Rules.
The Relevant Standards of the HIPAA General Provisions
Privacy Rule HIPAA Compliance for Email
Get the FREE
HIPAA Compliance
Email Checklist
Learn How To Prevent All Email Related HIPAA Violations
Immediate Access
Security Rule Safeguards for HIPAA Compliant Email
The HIPAA Email Encryption Requirements
The HIPAA Email Requirements for Breach Notifications
Recent HIPAA Violation Email Examples
Training Workforces on HIPAA Email Policy
When Do State Laws Preempt the HIPAA Email Rules?
There are several standards relevant to the requirements for sending PHI via email in the HIPAA General Provisions (Part 160 Subpart A). The first relevant standard is the Applicability standard – that HIPAA applies to health plans, health care clearinghouses, healthcare providers that qualify as HIPAA covered entities, and to business associates that provide a service for or on behalf of a covered entity that involves a use of disclosure of PHI.
HIPAA
Compliance
Checklist
Simple Guidelines
Immediate PDF Download
Immediate Access
This is relevant because if a provider does not qualify as a HIPAA covered entity – because, for example, they bill clients directly – they are not required to comply with the HIPAA email requirements. Similarly, if a third party provides a service for on or behalf of a provider that does not qualify as a HIPAA covered entity, the third party does not qualify as a business associate and is also not required to comply with the HIPAA email requirements.
The next relevant standard in the HIPAA General Provisions is the Definitions standard (§160.103). This standard is relevant because it defines what is considered as PHI under HIPAA. Emails that do not contain PHI are not subject to the HIPAA email requirements – although they may be subject to state data protection laws depending on the location of the covered entity and whether they are exempted from complying with state law.
On the topic of state laws, Subpart B of Part 160 (“Preemption of State Law”) is relevant to any discussion about the application of the HIPAA email rules because it states HIPAA preempts state law unless a provision of state law offers greater protection to personal data than HIPAA or unless a provision of state law provides individuals with more privacy rights. Examples of when state law preempts the HIPAA email rules are provided later in this article.
Many sources discussing the HIPAA email rules tend to focus on Security Rule safeguards for HIPAA compliant email and overlook Privacy Rule HIPAA compliance for email. Although it is important to comply with the Security Rule safeguards, it is equally important to know when Privacy Rule compliance applies due to §164.306(a) requiring organizations to “protect against uses and disclosures of PHI not permitted by the Privacy Rule”.
When §164.306(a) states covered entities and business associates must protect against uses and disclosures of PHI not permitted by the Privacy Rule, the standard not only applies to when sending patient information via email is required or permitted by the Privacy Rule, but also to what happens to the patient information when it is received by the recipient if the recipient is a covered entity, a business associate, or a member of either’s workforce.
Required uses and disclosures of PHI are limited to when PHI is requested by HHS’ Office for Civil Rights or the subject of the PHI (see “Patients’ Rights Considerations” below), Permissible uses and disclosures of PHI include treatment, payment, and healthcare operations, and when disclosures are allowed under §164.512 of the Privacy Rule. In all “permissible” cases, uses and disclosures must be limited to the minimum necessary to achieve the purpose of the use or disclosure.
A covered entity is also permitted to disclose PHI to a business associate by email, subject to the business associate complying with the HIPAA rules for emailing patient information. For a business associate, this may not only mean implementing Security Rule safeguards for HIPAA compliant email, but also training members of the workforce on applicable Privacy HIPAA Rules for email as well as providing security awareness training.
In addition, before a disclosure of PHI is permitted to a business associate, it is necessary for a Business Associate Agreement to be in place between the covered entity and the business associate. The Business Associate Agreement stipulates the terms under which PHI is disclosed to the business associate, agrees that the business associate will implement safeguards to protect PHI, and lists the obligations of the healthcare provider to the business associate.
As mentioned above, patients have rights under HIPAA. These include the right to request copies of their PHI by email, to receive an accounting of disclosures by email, to receive any confidential communications by email, and a Notice of Privacy Practices by email – not necessarily secured email. Patients also have the right to authorize disclosures of PHI not permitted by the Privacy Rule, which can also be communicated by unsecured email.
A challenge this creates is that the use of email for transmitting PHI is permissible in some circumstances, but not in others. The circumstances can depend on who is requesting PHI, the purpose of the use or disclosure, whether a Business Associate Agreement is in place (if required), and whether the Security Rule Safeguards for HIPAA compliant email have been implemented. It may also be necessary for a Business Associate Agreement to be in place with the email service provider.
The Security Rule safeguards for HIPAA compliant email vary depending on whether a covered entity or business associate hosts its email server on-premises. If so, the Physical Safeguards are more significant. If not – for example, if a covered entity subscribes to HIPAA compliant hosted email service such as Google Workspace – the HIPAA compliant hosted email service provider is responsible for most of the Physical Safeguards.
The Administrative Safeguards for HIPAA email compliance require covered entities and business associates to conduct a HIPAA risk assessment to identify risks and vulnerabilities to PHI created, received, maintained, or transmitted by email. The assessment should consider both external and internal threats. It is then necessary to implement security measures that reduce the identified risks and vulnerabilities to a reasonable and appropriate level.
In the context of HIPAA email compliance, the security measures stipulated by the Administrative Simplification standards of the Security Rule and subsequent guidance published by HHS’ Office for Civil Rights include:
The reason who hosts an email system matters is because the hosting entity will be responsible for complying with physical HIPAA email security requirements such as controlling access to where the mail server is stored, managing maintenance records for mail servers, and ensuring a continuity of service during a disaster or emergency. HIPAA compliant hosted email service providers may also be responsible for the physical security of email backups and archives.
Thereafter, regardless of whether a HIPAA compliant email service in hosted in-house or subcontracted to a HIPAA compliant email service provider, covered entities and business associates are required to:
Note: The Physical Safeguards for HIPAA email compliance were developed before most mobile devices had Internet connectivity, cameras, or email capabilities. As a result, there can be logistical challenges of complying with this section of the HIPAA email rules for healthcare providers. Healthcare providers who struggle to comply with this section of the HIPAA email rules are advised to review the “flexibility of approach” standard ( §164.306(b)).
The majority of the Technical Safeguards for HIPAA email compliance have “addressable” implementation specifications. How covered entities and business associates comply with the Technical Safeguards may depend on the results of HIPAA risk assessments and interpretations of the flexibility of approach standard. It is important to be aware that, if an addressable specification is not implemented, the reason must be documented.
To save time, the “required” Technical Safeguards for HIPAA email compliance could be completed at the same time as the Administrative Safeguards – i.e. the Safeguards relating to Access Controls and Emergency Access procedures. Addressable Safeguards include:
In addition to the Administrative, Physical, and Technical Safeguards, the Security Rule has “Organizational Requirements” for Business Associate Agreements and disclosing PHI to plan sponsors. The Security Rule also includes a section requiring covered entities to document policies and procedures, and retain records of the policies and procedures for at least six years. You can read about the HIPAA record retention requirements here.
Although the HIPAA email encryption requirements are addressable implementation specifications, it is hard to conceive when they might not be “reasonable and appropriate” for protecting PHI in emails or when “an alternative equivalent measure” would be as effective at ensuring the confidentiality of PHI created, received, maintained, or transmitted by email. However, there is no one-size-fits-all solution for complying with the requirements.
HHS Office for Civil Rights has confirmed that the HIPAA email encryption requirements are not mandatory. Nonetheless, the agency has published guidance for “rendering unsecured PHI unusable, unreadable, or indecipherable to unauthorized individuals”. The guidance applies to both PHI at rest (i.e., in an email inbox) and PHI in transit (i.e., when an email containing PHI is sent from a covered entity to a patient or business associate).
With regards to the HIPAA encrypted email requirements for PHI at rest, HHS’ Office for Civil Rights suggests covered entities and business associates apply the standards recommended in NIST SP 800-111 (AES-128 or higher). For PHI in transit, HHS’ Office for Civil Rights states “valid encryption processes for data in motion are those which comply with NIST SP 800-52” (TLS 1.2 or higher) or “others which are FIPS 140-2 validated” (for example, OpenPGP and S/MIME).
How to comply with the HIPAA email encryption requirements varies depending on whether the organization’s email server is hosted on-premises or hosted in the cloud by a HIPAA compliant email service provider acting as a business associate. In the former scenario, the organization has the responsibility for encrypting PHI at rest. In the latter scenario, the business associate is responsible for encrypting PHI at rest.
Complying with the HIPAA email encryption requirements for PHI in transit can also be situation specific. For example, a covered entity might host an email server on premises, but the email service could still be provided by a business associate (i.e., Exchange Server 2019), or the email service could be provided via an intermediary such as a Managed Service Provider. Covered entities unsure about HIPAA email encryption requirements should seek compliance advice.
The following HIPAA compliant encrypted email providers offer products that support HIPAA compliance out of the box or that can be configured to support HIPAA compliance. All of the providers are willing to enter into a Business Associate Agreement; but, because most offer a standard service to all customers, covered entities and business associates must agree to the terms of the providers’ Agreements. Please note, this list is not exhaustive and subject to change.
Microsoft offers a range of packages that support compliance with the HIPAA encryption requirements. While suitable for most enterprise customers, smaller organizations might find subscriptions include services they will be paying for, but may never use.
Google Workspace is more user-friendly for organizations with a remote workforce and offers a wider variety of email encryption options. However, configuring Google Workspace to be HIPAA compliant can be difficult for customers unfamiliar with admin controls.
Proton Mail is a further suitable solution for HIPAA email security that also offers Drive, Calendar, and VPN options. The platform can be used as a standalone service (e.g., hosted in the cloud) or to encrypt emails sent from an on-premises email server.
Paubox is an email encryption service that encrypts all outbound emails by default. The service works with on-premises servers or in front of cloud services (such as Office 365 and Google Workspace) with minimal installation and configuration requirements.
Hushmail is one of several HIPAA compliant encrypted email providers that provides HIPAA email security only when the sender takes a manual action to encrypt the content of an email. This could lead to HIPAA unencrypted email being sent in error.
Despite it appearing logical to notify individuals of a data breach as quickly as possible after the discovery of a breach, the HIPAA email requirements for breach notifications are that individuals can only be notified of data breaches by email “if the individual agrees to [an] electronic notice and such agreement has not been withdrawn” (§164.404). (Notifications to HHS’ Office for Civil Rights are submitted through the HHS Breach Portal.)
If consent has not been given to receive breach notifications by email, individuals must be notified of a data breach by first class mail even though no PHI is disclosed in breach notifications. Covered entities and business associates are only required to notify individuals of the type(s) of information that has been breached and the steps individuals should take to protect themselves from potential harm resulting from the breach.
However, breach notifications can be potentially sensitive if – for example – a patient is attending a clinic for SAD treatment that partners with access to the patient’s email account are not aware of. Therefore, it is not safe to assume that because a patient has given their consent (or requested) to receive – for example – appointment reminders by email, the patient also wishes to receive breach notifications by email.
It is impossible to determine exactly how many HIPAA violations are attributable to noncompliance with the HIPAA email rules. This is because details about complaints made to covered entities are rarely made public, while only data breaches affecting more than 500 individuals are listed on HHS’ Breach Report (about 10% of all data breaches). From reports that are publicly-accessible, we have found the following recent HIPAA violation email examples:
Although only one of the above HIPAA violation email examples resulted in a financial penalty, violations of the HIPAA email rules often have indirect consequences. In many cases, new policies and procedures have to be developed, new measures have to be implemented to safeguard PHI in emails, and workforce members have to be retrained. There can also be consequences for members of the workforce who impermissibly disclose PHI via email.
When PHI is created, received, maintained, or transmitted via email, it is recommended that covered entities and business associates develop a HIPAA email policy. The HIPAA email policy should be consistent with the organization’s existing policies on permissible disclosures of PHI, patients’ rights, data security, and reinforce standards such as the physical device controls, patient authorizations, and the minimum necessary rule.
Workforce training on HIPAA email policy can either be combined with regular (or refresher) HIPAA training, or provided alongside security awareness training. Ideally, it should be included in both when time and resources allow. However, it is important that the training is documented and that workforce members are given a copy of the training document(s) and the sanctions policy for violating the organization’s HIPAA email policy.
It can also be beneficial to explain to workforce members why policies such as “do not include PHI in subject lines” exist. By explaining that the subject lines of emails and other email metadata are not encrypted in the encryption process (to facilitate searches) it could raise security awareness and help prevent security violations in other scenarios in which PHI is created, received, maintained, or transmitted electronically.
It was mentioned previously that HIPAA preempts state laws unless a provision of a state law offers greater protection to personal data than HIPAA or provides individuals with more privacy rights. This section of the HIPAA Administrative Simplification Regulations was last updated in 2002, since when multiple states have passed privacy legislation – some of which have provisions that preempt the HIPAA email rules.
For example – according to HHS guidance published in 2008 – healthcare providers can assume that, if a patient initiates contact by unencrypted email, it is permissible to reply to the patient via unencrypted email and continue to communicate with the patient via the same channel of communication. The guidance recommends, but does not mandate, the healthcare provider alerts the patient to the risks, and lets the patient decide whether to continue communicating via email.
However, a number of states have recently introduced or extended their privacy laws to include an “affirmative opt-in” requirement for individuals’ email addresses. This means that covered entities can continue to follow HHS guidance only if the individual is not a resident of a state in which greater protection to personal data exists (regardless of where the healthcare provider is located or where the individual was at the time contact was made).
Some state privacy laws (i.e., CCPA, Texas HB 300, etc.) exempt HIPAA covered entities – and sometimes business associates – and/or do not apply to individually identifiable health information protected by the Privacy Rule. But, not all states have the same exemptions. If you are in any doubt your organization may not be in compliance with the HIPAA emails rules or a state law that preempts the HIPAA email rules, you should seek compliance advice.
PHI can be sent via email provided the disclosure is permitted by the Privacy Rule, safeguards are implemented to comply with the Security Rule, and – if the email service is provided by a third party – that a Business Associate Agreement exists with the third party.
Emails can lead to HIPAA violations if they are sent to unauthorized persons, if PHI is disclosed in the email impermissibly, or if an individual is contacted by email after requesting confidential communications via a different channel of communication.
Business Associate Agreements are needed to use emails in a healthcare setting if the email service is provided by a third party service provider and the email service is going to be used to send, receive, or store emails containing Protected Health Information.
The encryption standards necessary for emails to be HIPAA compliant are a minimum of Advanced Encryption Standard (AES)128 for PHI at rest and Transport Layer Socket (TLS) for data in transit. Although S/MIME is a suitable alternative for TLS, the protocol has a significant management overhead.
The HIPAA Security Rule does not require emails to be encrypted, but makes it an addressable implementation specification, because alternative technologies exist (i.e., key-agreement algorithms) that can be equally as effective as encryption for protecting PHI at rest and in transit.
The difference between PHI and ePHI is that PHI stands for Protected Health Information, which is any individually identifiable health information created, received, stored, or transmitted by a covered entity or business associate in any format, whereas ePHI is electronic PHI, i.e. PHI created, received, stored, or transmitted electronically.
Email is HIPAA compliant and can be used to send PHI for required and permitted purposes provided the appropriate Security Rule Safeguards are implemented, the disclosure of PHI is limited to the minimum necessary, and – if the email is sent via a third party service (i.e., Microsoft, Google, etc.) that a Business Associate Agreement exists with the service provider.
The HIPAA compliance email rules are the standards and implementation specifications found throughout Parts 160 and 164 of the Administrative Simplification Regulations that govern what measures and procedures need to be in place before a covered entity or business associate creates, receives, maintains, or transmits Protected Health Information via email.
HIPAA allows email in several circumstances. The first is when a patient initiates a communication with a healthcare provider via email. In this case, a healthcare provider can continue to communicate with the patient via email; but, if the channel is not secure, the healthcare provider should (but is not mandated to) warn the patient of the risks and let the patient decide if they want to continue communicating by unsecure email.
The second circumstance is when a patient specifically requests communications by email, a copy Notice of Privacy Practices by email, or exercises their HIPAA rights to request a copy of their PHI or an accounting of disclosures by email. In all these cases, it is still a best practice to warn the patient if the channel of communication is unsecure – especially if they have requested all communications by email as some may be sensitive in nature.
The third circumstance when HIPAA allows email is when a HIPAA compliant email service is used to send, store, and receive emails containing PHI for a permitted purpose. In this circumstance, the disclosure of PHI should be limited to the minimum necessary to achieve the permitted purpose and – if the HIPAA compliant email service is provided by a third party vendor (i.e. Microsoft), a Business Associate Agreement must be in place with the third party vendor.
HIPAA requires email encryption when PHI is disclosed in an email for a purpose not exempted by the Privacy Rule. Exemptions include when a patient initiates a communication with a healthcare provider via an unencrypted email and when a patient requests communications by email. In both cases, it is recommended to warn patients of the risks of unencrypted email, offer an alternative channel of communication, and let the patient decide.
Relevant to the question of does HIPAA require email encryption is that, if a covered entity subscribes to a service provider’s plan that includes encryption (i.e., Google Workspace), it is only necessary to enter into a Business Associate Agreement with the service provider. If a covered entity uses a third party service for HIPAA email encryption (i.e., Hushmail), it may be necessary to enter into two Business Associate Agreements (i.e., Google and Hushmail).
It is not a HIPAA violation to email medical records if appropriate safeguards are implemented to protect the confidentiality, integrity, and availability of PHI, and if the reason for emailing medical records is permitted or required by the Privacy Rule. Sending patient information via email is also not a HIPAA violation when a patient exercises their HIPAA rights to request a copy of their medical records – even if no safeguards exist to protect the confidentiality of PHI.
The HIPAA security email requirements are the elements of HIPAA email compliance that relate to the security of HIPAA compliant email. For example, a HIPAA secure email is protected by access controls, audit controls, integrity controls, and encryption (etc.). However, a HIPAA secure email needs to comply with other HIPAA email rules – for example, the email has to be for a permitted use of PHI – before it can be considered a HIPAA compliant email.
Copyright © 2007-2024 The HIPAA Guide