Paubox blog: HIPAA compliant email made easy

Are email addresses protected by HIPAA?

Written by Kirsten Peremore | December 21, 2022

Yes, email addresses are protected by HIPAA based on the Privacy Rule and the identifiers that need to be de-identified for any health information to be considered anonymous.

 

HIPAA and protected health information

The HHS offers the following definition of protected health information, "The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information."

Protected Health Information (PHI) under HIPAA refers to any information in a medical record that can be used to identify an individual and that was created, used, or disclosed in the course of providing a healthcare service and includes a wide range of personal identifiers that could potentially reveal the identity of an individual.

HIPAA's Privacy Rule, specifically Sections 160 and 164 of the Act, sets standards for the protection of PHI held by covered entities like healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates.

The identifiers, of which there are 18, are found within 45 CFR § 164.514(b)(2)(i)

See also: What are the 18 PHI identifiers?

https://www.youtube.com/watch?v=paUlycrz6A4

 

Are email addresses PHI?

According to The Privacy Rule, "All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses…"

 

Yes, email addresses are considered PHI under HIPAA when they are associated with medical information that can identify an individual. According to the Privacy Rule, specifically the implementation specifications for the de-identification of PHI, any email addresses must be stripped from health records to achieve de-identification. 

This requirement is in place because an email address can be a direct link to an individual's identity, particularly when combined with other health related information. By removing email addresses along with other identifiers, such as names and social security numbers, health information can be rendered anonymous. 

How to secure email addresses without deidentification

  1. HIPAA compliant email providers: Use HIPAA compliant email services. These providers sign a business associate agreement (BAA), which is mandatory under HIPAA regulations. They provide encryption both in transit and at rest and implement additional security measures to protect PHI.
  2. Segmentation and minimal privilege: Segment access to email systems and ensure that employees have only the minimum level of access necessary to perform their job functions. This limits the potential exposure of email addresses and other PHI if an account is compromised.
  3. Secure email configuration: Configure email servers to use secure protocols like TLS for transmitting emails. Disable protocols that do not support encryption. Also, configure Domain based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to prevent email spoofing and ensure that emails are sent securely.
  4. Detailed logging and monitoring: Maintain detailed logs of all email access and transmissions and monitor these logs for any unusual activity. This helps in detecting and responding to potential security incidents more rapidly.

See also: Top 12 HIPAA compliant email services

 

FAQs

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that provides data privacy and security provisions for safeguarding medical information.

Why are email addresses protected under HIPAA?

Email addresses are protected because they can be used to identify an individual and possibly reveal their health information if they are part of a medical record or are used for communication about healthcare services.

What is a BAA?

A BAA is a contract between a HIPAA covered entity and a vendor with access to PHI, including email addresses.
View full post