A lot of healthcare organizations would like to use email for transmitting the protected health information (PHI) of patients, but how can email be made HIPAA compliant? What steps must be taken before electronic PHI (ePHI) can be sent via email to patients or other healthcare providers?
How you want to use email with ePHI will dictate what you need to do in order to have HIPAA compliant email. If you intend to use email for internal communication only, it is not necessary to encrypt emails, provided the emails are not sent outside the protection of a firewall. You only need encryption if you send emails beyond your firewall. Still, it is important to have access controls to email accounts, otherwise it would be possible for unauthorized individuals to access emails stored in the account.
If you want to use email for sending ePHI to recipients beyond your firewall, you must make sure your email is HIPAA-compliant before any messages can be sent containing ePHI.
Lots of email service providers offer encryption, yet not all email service providers are HIPAA compliant as they lack other safeguards to ensure compliance with HIPAA Rules. Consider the following to make your email HIPAA compliant:
1. Be sure to have end-to-end encryption for email
Email is a fast and simple way of communicating digitally, but security is not guaranteed. Even email services that include encryption for messages in transit are not certain to have the appropriate level of security for HIPAA compliance. HIPAA compliant emails require end-to-end encryption. That means messages in transit and stored messages must be encrypted. Access controls are also required to ensure emails containing ePHI can only be accessed by the intended recipient and sender.
Certain email service providers use encryption for individual emails that require the user to click a button or use a portal. Because users may forget to activate encryption and inadvertently send out an unencrypted email, it is recommended to encrypt all email messages and not just emails with ePHI. This will eliminate the possibility of mistakes.
It is important to consider the type of encryption as well. Although in the past Data Encryption Standard (DES) was deemed secure, that is not the case now. You need to check with NIST for recommendations on appropriate encryption standards – Currently, AES 128, 192, or 256-bit encryption is recommended.
2. Sign a HIPAA-compliant Business Associate Agreement (BAA) with the email service provider
When using a third-party email provider, it is essential to enter into a business associate agreement before the service is used for emailing ePHI. The BAA describes the duties of the service provider and establishes the technical, administrative and physical safeguards necessary to protect the confidentiality, integrity, and availability of ePHI.
If the email service provider will not sign a BAA, look for another provider that will. Without a BAA the service will not be HIPAA-compliant.
3. Configure your email correctly
Even if there’s a signed BAA, it’s not enough to make email HIPAA compliant. The failure to configure the email service properly could easily result in the exposure of ePHI or incorrectly applied encryption.
The email service provided by Google’s through G Suite is covered by its business associate agreement. Take note that G Suite and Gmail are not the same. Gmail cannot be made HIPAA compliant nor is it suitable for healthcare use. Google only signs a BAA for its paid services – not the free ones. Google’s email service is only HIPAA-compliant when used with a business domain. When using this service, care must be taken to configure it correctly and activate end-to-end encryption.
4. Create policies on using email and provide training for employees
Once you have a HIPAA compliant email service, make sure employees receive training on its use and are made aware of HIPAA Rules covering the use of email in conjunction with ePHI. Many data breaches have occurred as a result of mistakes by healthcare employees. For example, the unintentional sending of ePHI through unencrypted email; sending of ePHI to people who are not authorized to see the information.
5. Be sure to retain all emails
HIPAA Rules on email retention are not so clear. Email retention is not covered in the HIPAA text. If there is a legal dispute, lawyers representing patients and health plan members could require emails to be supplied and requests could be made by EU citizens to supply email correspondence under a GDPR data access request. Some state laws also mandate that emails should be kept for a set time frame. Under HIPAA, the retention period is six years for emails associated with security and privacy policies. HIPAA also requires six years’ retention of documentation associated with the covered entities’ compliance efforts.
Small to medium-sized healthcare providers would need considerable storage space to retain 6 years of emails plus attachments. It is a good idea to use an encrypted email archiving service rather than paying for in-house storage space. An archive is also useful because, in contrast to a backup, all emails are indexed and the archive can be searched. That means that emails can easily be found if required, such as during legal discovery or as part of a compliance audit.
Just like an email service provider, providers of an email archiving service are subject to HIPAA Rules and are considered a business associate. There must be a BAA in place before using the service.
6. Get a patient’s consent before using email for communication
Email is convenient for sending ePHI to patients, but a patient’s written permission must be obtained before using email as a means of communicating messages containing ePHI. This is necessary even when using a HIPAA compliant email provider. Patients should be made aware of the risks to the privacy of information when sending the PHI via email. If they willingly accept the risks, then sending emails containing ePHI does not violate HIPAA Rules.
7. Get legal assistance on email HIPAA compliance
If in doubt of the prerequisites of HIPAA compliant email, it is strongly advisable to consult a healthcare lawyer who is an expert in HIPAA regulations. He/she can advise you regarding the the requirements of HIPAA with respect to email.