Dean Levitt
Secure, encrypted email helps healthcare organizations protect patient privacy and comply with legal standards. HIPAA outlines the requirements, such as encrypting emails while they're being sent and implementing strict controls over who can access them.
Thankfully, setting up a secure and encrypted email system is not as complicated as it might seem, regardless of the size of your practice or organization. Our checklist demystifies these requirements with clear, straightforward steps, guiding you through the process to ensure your email communications are secure and compliant.
Table of contents:
- Who needs to send HIPAA compliant email?
- Legal and ethical responsibilities
- Responsibilities of HIPAA compliance
- Business associate agreements and HIPAA compliant email
- HIPAA compliant email best practices
- Frequently Asked Questions
Who needs to send HIPAA compliant email?
HIPAA regulations apply to two main groups: covered entities and their business associates. As a healthcare provider, health plan, or healthcare clearinghouse, you fall into the category of a covered entity. Meanwhile, business associates are those who offer services to these covered entities. If your work involves dealing with protected health information (PHI), HIPAA compliance is a must. This means any email containing PHI, sent by either a covered entity or a business associate, must adhere to HIPAA standards.
Go deeper:
Legal and ethical responsibilities
Secure email communication is, to be blunt, a legal requirement. The HIPAA Security Rule requires the encryption of emails containing PHI when transmitted over open networks to prevent unauthorized access. Full stop. There's no wiggle room there. As a covered entity or business associate sending emails that may contain PHI, you must use HIPAA compliant email solutions.
Non-compliance with HIPAA can result in fines ranging from $100 to $50,000 per violation, with a maximum of $1.5 million per year for identical violations, depending on the level of negligence, and that's just the financial penalties.
Criminal charges, additional fines as high as a quarter million dollars, and onerous corrective action are yet more reasons to be concerned with securing your email communication.
So, when it comes to HIPAA compliance, money and reputation are on the line.
Go deeper: HIPAA Compliant Email: The Definitive Guide
Responsibilities of HIPAA compliance
The primary responsibilities of HIPAA compliance revolve around privacy, security, and transparency. There are several "rules," including the Privacy Rule, Security Rule, Breach Notification Rule, Enforcement Rule, Omnibus Rule, and the HITECH Act, that a covered entity must follow, but the essential responsibilities are as follows.
The Privacy Rule requires covered entities to ensure the confidentiality of protected health information (PHI), provide patients with medical records, and get patient authorization before using or sharing PHI for non-treatment-related purposes. Also, you'll need to have policies and procedures around this stuff and train employees on it.
The Security Rule focuses on electronic PHI (ePHI). This rule, according to the HHS, "requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information."
This is where HIPAA compliant email comes into play. The secure transmission of ePHI is a HIPAA requirement. Encrypting emails that contain PHI fulfills that requirement, and the easiest way to do so is to use a HIPAA compliant email service that encrypts every email by default.
Other basics of the Security Rule include running periodic risk assessments, enacting security measures to protect against unauthorized access to ePHI, and having clear security policies like access controls, audit logs, and password protocols.
When things go wrong, the Breach Notification comes into play, requiring covered entities to notify individuals of HIPAA violations that contain their PHI. If the breach involves more than 500 people, the HHS's Office for Civil Rights and even the media may need to be notified. The rule also requires that you document all HIPAA violations and breaches.
Business associate agreements and HIPAA compliant email
A business associate agreement is a contract you'll sign with any email service provider that describes their commitment to HIPAA compliance and defines how they'll handle PHI in accordance with HIPAA regulations.
According to the HHS, "If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules' requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules."
You'll likely work with email clients like Google Workspace and Microsoft 365, as well as with a HIPAA compliant email platform like Paubox. Make sure to sign a BAA with these services - your email won't be compliant without it.
HIPAA compliant email best practices
Emails must be sent using a secure email platform, like Paubox - a HITRUST-certified, HIPAA compliant email provider like Paubox, satisfies HIPAA's requirements right out of the box. Paubox encrypts every part of the email, including the subject line, headers, body, and attachments, so you and your colleagues can just hit send on your emails without worrying. This matters because standard email clients, including Gmail, usually don't encrypt subject lines even if they offer encryption.
All emails should ideally be encrypted by default. Many email encryption solutions require the sender to take extra steps to encrypt emails, whether by clicking specific buttons or typing "SECURE" in the subject line. These additional steps lead to inadvertent violations as busy, distracted staff are understandably prone to forgetting. That's why Paubox encrypts every email automatically with no extra step required.
There's one more note while we're on the subject of extra steps. Ideally, your recipients won't need to take additional steps to read the email either. Portal-based communication, while HIPAA compliant, is a massive headache for recipients. It's worth avoiding.
Frequently Asked Questions
Here are some frequently asked questions about HIPAA compliant email.
When does my HIPAA liability end when sending an email?
Once an email has been delivered to the end recipient's system using encryption, the covered entity or business associate has fulfilled their obligations for the HIPAA Privacy Rule.
Read more: How do I know when my HIPAA privacy obligation for email encryption ends?
Does a disclaimer make an email HIPAA compliant?
No. Emails must be sent securely to be HIPAA compliant. Adding a disclaimer does not meet HIPAA Security Rule requirements or make an email HIPAA compliant.
Is Gmail HIPAA compliant?
The free version of Gmail is not HIPAA compliant. Google will not sign a business associate agreement with free Gmail users.
Upgrade to a paid Google Workspace account for HIPAA compliance and sign a business associate agreement. Even then, Gmail isn't 100% HIPAA compliant when sending emails to recipients that don't support TLS encryption. For emails to be 100% HIPAA compliant and avoid HIPAA violations, use Paubox Email Suite with Google Workspace to encrypt all emails by default.
Learn more: Why Google Workspace and Microsoft 365 aren't enough for complete HIPAA compliance
Is Microsoft 365 HIPAA compliant?
Mostly yes. According to Microsoft, their encrypted emails work with other Microsoft email clients, but "if the recipient is using another email client or email account, such as Gmail or Yahoo, they'll see a link that lets them either sign in to read the email message or request a one-time passcode to view the message in a web browser."
Portals severely disrupt patient communication because accessing an email or attachment requires up to 6 extra steps. Use Paubox Email Suite with your Microsoft 365 account to encrypt all emails by default without needing patients to log in to a portal.
What should you do if you violate HIPAA in an email?
First, determine if the violation resulted in unauthorized disclosure of protected health information. If it did, notify the affected client promptly and take steps to mitigate any potential harm. Reporting the violation to the U.S. Department of Health and Human Services is required only if the breach affects 500 or more individuals, but it's good practice to document all breaches, regardless of size.
Does the subject line of an email have to be encrypted?
If the subject line contains ePHI, yes, it must be encrypted. It should be noted that it is not a healthcare provider's responsibility to ensure that incoming email is encrypted (although many organizations like having this feature).
Read more: Does an email subject line have to be HIPAA compliant?
When does HIPAA liability end when sending an email?
According to HIPAA, "covered entities are not responsible for safeguarding information once delivered to the individual."
Once an encrypted email has been delivered to the recipient, the covered entity or business associate is no longer responsible.
Does the email message header have to be encrypted?
An email message header includes fields that provide information about the sender, recipient, and message routing.
Some standard email header fields include:
- From: the email address of the sender
- To: the email address of the primary recipient
- Subject: the subject or topic of the message
- Date: the date and time the message was sent
- Cc: (carbon copy) list of recipients who are to receive a copy of the message
- Bcc: (blind carbon copy) list of recipients who receive a copy of the message without the other recipients being aware
- Reply-To: the email address that should be used when replying to the message
- Message-ID: a unique identifier for the message
- In-Reply-To: the Message-ID of the message that this message is a reply to
- References: a list of Message-IDs for messages that this message is related to
As you can see, there are myriad instances in which PHI can be inserted into a message header. Therefore, you should encrypt email message headers as a best practice.
Do all email encryption methods encrypt a message header?
Email sent via Transport Layer Security (TLS) does encrypt the message header while it's in transit across the internet.
Email sent using PGP and S/MIME however, do not encrypt the message header.
If we know it's likely message headers will invariably contain PHI, we can conclude PGP and S/MIME are insufficient forms of encryption for HIPAA compliant email.
Why isn't PGP more widely used to encrypt email?
PGP (Pretty Good Privacy) is a widely used standard for email encryption, but it is not as widely adopted. Here are several reasons why:
- Complexity. PGP requires users to generate and manage their own public and private keys, which can be a complex and time-consuming process for non-technical users.
- Lack of Integration. PGP requires additional software and plugins to be installed in order to work with most email clients, which can be a barrier to adoption for some users.
- Security concerns. PGP has been criticized for having numerous security vulnerabilities in the past, which has led to some organizations being hesitant to adopt it.
- Ease of use. PGP is not as user-friendly as some other encryption methods, which can make it less appealing.
Are email attachments encrypted?
Yes. Email attachments encrypted by either TLS, PGP, or S/MIME will be encrypted in transit.
Read more: What types of encryption methods encrypt email attachments?
Am I responsible for incoming emails to be HIPAA compliant?
HIPAA does not require covered entities and business associates to encrypt their inbound email. To maintain HIPAA compliance, healthcare organizations must implement technical safeguards for outbound email containing PHI. The best technical safeguard is using encryption.
Read more: Do you need inbound email security to be HIPAA compliant?
If I password-protect an email attachment, does that make it HIPAA compliant?
The guidance from HHS is clear: forgoing encryption and only using password protection for a document (or an entire hard drive, for that matter) is not sufficient and has already led to publicized HIPAA fines.
Therefore, using only password protection for attaching a document via email is not a HIPAA compliant approach and should be avoided.
Read more: Is my password-protected PDF document HIPAA compliant?
What versions of Transport Layer Security encryption are considered secure?
In January 2021, the NSA issued the following guidance:
"The National Security Agency (NSA) emphatically recommends replacing obsolete protocol configurations with ones that utilize strong encryption and authentication to protect all sensitive information… Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries."
Furthermore:
"NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 not be used."
Following NSA guidance, here's a list of security protocols supported by Paubox:
- SSL v2 (Not Supported)
- SSL v3 (Not Supported)
- TLS 1.0 (Not Supported)
- TLS 1.1 (Not Supported)
- TLS 1.2 (Supported)
- TLS 1.3 (Supported)
Read more: Paubox eliminates obsolete TLS protocols, follows NSA guidance
Do international companies need to abide by HIPAA?
If an international company handles or transmits PHI of U.S. citizens, it is subject to HIPAA regulations.
Read more: Do international companies have to abide by HIPAA?
Does email qualify under the HIPAA Conduit Exception rule?
The HIPAA Conduit Exception Rule was created by the HIPAA Privacy Rule in December 2000. The conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form). Since every email account has email stored in it, this would preclude it from being a transmission-only service.
In summary, email does not qualify under the HIPAA Conduit Exception rule.
Read more: HIPAA Conduit Exception Rule – what is it?
Can a covered entity or business associate use a consumer email service provider like Yahoo or Hotmail?
A business associate agreement is required for any vendor handling or processing PHI on behalf of a covered entity or business associate. We have not found a single consumer email service that provides a BAA. Therefore, using a provider like Yahoo or Hotmail is not HIPAA compliant and should be avoided.
Read more:
What is HITRUST?
HITRUST is a standards development organization that was founded in 2007. It develops and maintains a healthcare compliance framework called the HITRUST CSF. The HITRUST CSF is designed to unify security controls from federal law (HIPAA), state law, and non-governmental frameworks (PCI-DSS) into a single framework tailored to the healthcare industry.
Paubox solutions have been HITRUST CSF certified since 2019.
Read more: Paubox renews, expands HITRUST CSF certification through 2025
Does Paubox have patents for its work on encrypted email?
Yes, Paubox currently has four patents.
Read more: U.S. Patent Office approves our approach to email encryption
Is email marketing HIPAA compliant?
Yes, but very few email marketing platforms offer HIPAA compliant email marketing. For email marketing to be compliant, two requirements must be met.
First, you must get authorization from patients to send them marketing emails. Usually, this is added to your Notice of Privacy Practices or asked when someone first becomes a client. However, anything directly related to treatment or healthcare operations, like appointment reminders, is exempt from this requirement.
Second, the marketing emails must be encrypted. So, you'll need to use a HIPAA-compliant platform, like Paubox Marketing.
