HIPAA-covered entities need to make certain that protected health information (PHI) sent by email is secure and controls are applied to prevent unauthorized persons from intercepting personal and health information. Many opt to make use of HIPAA-compliant email providers to make sure proper controls are in place to protect the integrity, confidentiality, and availability of PHI.
There are numerous HIPAA compliant email providers that offer end-to-end encryption for email messages. A few of the options require hosting the software on your own system; others manage everything. Switching email provider doesn’t necessarily mean you need to alter your email addresses. Lots of email services let you retain your current email addresses and send out messages as you usually do from your desktop computer.
All HIPAA compliant email providers must integrate all of the following safety measures demanded by the HIPAA Security Rule.
- Access controls – 164.312(a)(1)
- Audit controls – 164.312(b)
- Integrity controls – 164.312(c)(1)
- Authentication measures – 164.312(d)
- Secure transmission of PHI – 164.312(e)(1)
As long as an email service provider includes all those controls, the provider could be regarded as HIPAA-compliant. However, prior to using the service it is essential for an email service provider to enter into a contract with the HIPAA-covered entity in the form of a business associate agreement (BAA).
HIPAA-covered entities should be aware that an email service provider only needs to incorporate appropriate safety measures into its platform in order to comply with HIPAA Rules. The covered entity is responsible for ensuring the service is set up correctly, that employees are taught the proper use of email, and are made aware of the permitted uses or disclosures of PHI. An email service provider is not responsible for any HIPAA violations that occur as a result of improper use of its email service.
An email service only ensures HIPAA prerequisites for email are incorporated. Employees must receive training about security awareness and be able to identify threats that could get through to their inboxes. Technologies should also be used to lessen the risk of email-based attacks like phishing. Certain email service vendors, though not all, scan incoming messages and stop spam, malware, and phishing email messages although third party solutions should also be considered in addition to those provided by the service provider.
Do Emails Need to be Encrypted?
Many healthcare organizations are unsure about the need to encrypt their emails. While HIPAA compliant email providers use encryption on all emails in transit, encryption is not compulsory under HIPAA. The HIPAA Security Rule simply requires institutions to evaluate whether encryption is appropriate. A HIPAA-covered entity doesn’t have to encrypt emails when there is an alternate control in place that provides an equivalent level of protection as encryption.
One control often used is a secure email server placed behind a firewall. In such cases, it is not a requirement of HIPAA to use encryption on all internal emails. Encryption is likewise not required if delivering email messages to patients who have permitted a covered entity to connect with them through email, although in such cases the patient must have been advised of the potential risk of interception of their PHI and told that email may not be secure. The decision not to use encryption should be guided by a risk analysis, and in all cases, the decision not to encrypt emails must be documented along with the rationale behind the decision.
In some cases, encryption is required. When healthcare providers send payment claims through email, communicate with other healthcare companies and refer patients, and when emails are transmitted beyond the protection of a firewall, encryption is necessary.
There are significant risks when delivering sensitive data through email because email is not secure. Emails need to be created on one device, delivered to an outbound email server, navigate the web, reach the recipient’s email server, prior to being sent to the recipient’s inbox. Duplicates of emails could retained in no less than four different devices, and emails could easily be intercepted by hackers in transit.
The Department of Health and Human Services has already penalized covered entities for using non-HIPAA-compliant email services. Phoenix Cardiac Surgery had to pay $100,000 to resolve HIPAA violations related to the use of an insecure web-based email service.
Listing of HIPAA Compliant Email Service Providers
If you are looking for a HIPAA-compliant email service provider, refer to the list below. Our list of HIPAA compliant email providers is not exhaustive, but it is includes HIPAA-compliant email service providers who have implemented controls to meet the provisions of the HIPAA Security Rule and are prepared to enter into a business associate agreement with healthcare organizations.
- Apsida Mail
Delivery Trust from Identillect Technologies
Hushmail for Healthcare