Collecting data using HIPAA compliant email

Email is a communication tool across industries such as healthcare, finance, and customer service. In the healthcare sector, it is also a tool for patient-provider communication, appointment scheduling, prescription management, and secure data exchange. Beyond direct patient interactions, healthcare organizations use email to conduct surveys and gather research data.

Can you collect data using email?

Yes, email can be used to collect data in several ways, such as through patient intake forms, follow-up questionnaires, customer feedback requests, and compliance reporting. Healthcare providers may use email to gather patient-reported outcomes, conduct telehealth assessments, and streamline administrative tasks like insurance verification and billing inquiries. Research institutions and public health organizations also leverage email to distribute surveys, collect study participant data, and manage clinical trial communications.

While email can be an efficient data collection method, handling sensitive information comes with security and compliance challenges. Organizations subject to HIPAA regulations must implement safeguards to prevent unauthorized access, data breaches, and human error. Measures such as encryption, secure form integration, and consent management help ensure safe and compliant data collection.

This guide details how to securely collect data using email while maintaining compliance with HIPAA standards. We will cover best practices for encryption, consent management, secure form integration, and staff training to ensure safe and effective email-based data collection.

How to choose a secure email service

The first step to securely collecting data via email is to use a secure, HIPAA compliant email provider. It is recommended to use known HIPAA compliant providers, as not all email services are designed for the secure collection of data like protected health information (PHI). Healthcare organizations should use an email service with the following features:

Encryption

HIPAA’s technical safeguards require the use of access control to “allow access only to those persons or software programs that have been granted access rights.” This allows authorized users access to the “minimum necessary information needed to perform [their] job functions.” As an implementation specification for access control, healthcare organizations may use encryption.

Encryption converts “regular text into encoded text” to ensure that messages are secure in transit and at rest. This prevents unauthorized access or tampering with the data. While encryption is an addressable requirement under HIPAA, it remains a best practice.

Audit controls

HIPAA requires the use of access controls to “record and examine activity in information systems that contain or use electronic protected health information.” Audit controls are especially beneficial when “determining if a security violation occurred” because they track email activity. In turn, this maintains compliance by providing a detailed record of when emails are sent, accessed, or modified. “Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to cover their electronic tracks, making it difficult for Covered Entities and Business Associate to not only recover from breaches, but to prevent them before they happen,” says the U.S. Department of Health and Human Services (HHS).

Business associate agreement (BAA)

“The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information,” says the HHS. Having a BAA in place ensures HIPAA compliance by requiring third-party email providers to adhere to the same strict security and privacy standards for handling PHI as covered entities do.

The HIPAA compliant solution: Paubox Email Suite

One such email service provider that meets these requirements is the Paubox Email Suite. Paubox offers seamless encryption, access controls, and an audit log feature. Additionally, Paubox signs a BAA, which guarantees that it adheres to the same stringent security protocols for handling PHI as required by HIPAA. By using Paubox, organizations can ensure secure and compliant communication, helping to safeguard patient data.

Encrypting emails and attachments

According to IBM, encryption allows organizations to “deter or mitigate the severity of data breaches. This is achieved by ensuring that hackers can’t access their most sensitive data, including social security numbers, credit card numbers and other personally identifiable information (PII).”

Encryption can be categorized as symmetric and asymmetric.

Symmetric encryption

Symmetric encryption uses a single shared key to both encrypt and decrypt data. Common symmetric encryption algorithms include:

• Data Encryption Standard (DES): Introduced by IBM in the 1970s, DES served as a federal encryption standard for many years. However, its relatively short 56-bit key length made it vulnerable to brute-force attacks, and it has since been replaced by more secure algorithms.
• Triple DES (3DES): Developed to improve upon DES, “3DES applies the DES algorithm three times to each data block, significantly increasing the key length and strengthening security.” Despite being more secure than DES, 3DES is now considered outdated and has been replaced by the Advanced Encryption Standard (AES).
• Advanced Encryption Standard (AES): Often considered the gold standard for modern data protection, AES is widely adopted by “organizations and governments worldwide, including the US government and the US National Institute of Standards and Technology (NIST).” It supports key lengths of 128, 192, or 256 bits, providing strong security for sensitive email messages and attachments. AES has largely replaced DES and 3DES in modern systems.
• Twofish: A symmetric key block cipher known for both speed and security, Twofish operates on 128-bit data blocks and supports key lengths of 128, 192, or 256 bits. “Since it is open source and resistant to cryptanalysis, organizations often rely on Twofish when security and performance are critical.”

Asymmetric encryption

Asymmetric encryption, also known as public-key encryption, uses a pair of mathematically related keys: a public key for encryption and a private key for decryption. This approach is particularly useful for secure email transmission and digital signatures. Asymmetric algorithms include:

• RSA (Rivest-Shamir-Adleman): RSA relies on the “mathematical complexity of prime numbers to generate key pairs.” It is commonly used in secure communication protocols such as HTTPS, SSH, and TLS, making it foundational for protecting email in transit and verifying digital signatures.
• Elliptic Curve Cryptography (ECC): ECC is based on the “mathematical properties of elliptic curves over finite fields.” It provides strong security with shorter key lengths compared to traditional algorithms like RSA. This efficiency makes ECC especially suitable for smartphones, IoT devices, and other resource-constrained systems.

Organizations should use automatic encryption to protect all outgoing emails and attachments.

Obtaining consent for email data collection

According to an NIH article titled Informed Consent, “Informed consent is a process in which a healthcare professional educates a patient about the risks, benefits, and alternatives of a given procedure or intervention.” This concept ensures that “patients are fully informed about the medical procedures or treatments they may undergo, enabling them to make autonomous decisions about their care.” In data collection, this ensures that the data collection process complies with legal and ethical standards, which is especially crucial in healthcare due to the emphasis on privacy and security.

How to obtain consent

The NIH article explains that “Obtaining informed consent in medicine is a process that should include describing the proposed intervention, emphasizing the patient's role in decision-making, discussing alternatives to the proposed intervention, discussing the risks and benefits of the proposed intervention, and eliciting the patient's preference, often confirmed by their signature. Effective informed consent requires a thorough discussion of all relevant risks, which typically encompasses general risks, risks specific to the procedure, risks of no treatment, and treatment alternatives. In addition, many consent forms express no guarantees that the proposed method can resolve the problem being addressed.”

See also: HIPAA Compliant Email: The Definitive Guide

Avoiding PHI and sensitive data in subject lines

To reduce security risks, organizations never include PHI, personal information, or financial data in email subject lines. Instead, use generic phrases such as:

• "Secure message regarding your account"
• "Your requested information"
• "Secure document attached"

Learn more: How to write a great HIPAA compliant subject line

Using secure online forms instead of direct email responses

Rather than requesting sensitive data via email replies, use a HIPAA compliant web form to collect information securely.

HIPAA compliant forms: Paubox Forms

Paubox Forms is an excellent solution for securely collecting sensitive information online, offering a HIPAA compliant alternative to traditional email responses. By using Paubox Forms, organizations can create secure web forms that allow patients or clients to submit their data directly through an encrypted platform, eliminating the risks associated with emailing sensitive information. These forms are designed to ensure that all submitted data is encrypted both in transit and at rest, protecting it from unauthorized access.

Training staff on email security and compliance

Jennie C De Gagne and her colleagues state in a study published by JMIR Publications that “email is ubiquitous in education and health care, where it is used for student-to-teacher, provider-to-provider, and patient-to-provider communications, but not all students, faculty members, and health professionals are skilled in its use.” To mitigate risks associated with the improper use of email, organizations must provide HIPAA email training

Employees handling sensitive data must be trained on:

• Recognizing phishing scams and security threats.
• Proper encryption and data handling techniques.
• HIPAA, GDPR, and CCPA regulations regarding email communications.
• How to report email security incidents.

Regular training helps prevent accidental data breaches and enhances overall security awareness.

FAQs

What does it mean for an email service to be HIPAA compliant?

A HIPAA compliant email service follows strict security measures such as encryption, secure login protocols, and audit logging to protect sensitive patient information. It also ensures that the email provider signs a business associate agreement (BAA) to comply with HIPAA requirements.

What is the purpose of HIPAA in healthcare communication?

HIPAA ensures the protection of patients' sensitive health information, especially in electronic communications like email. The main purpose is to safeguard personal health information (PHI) from unauthorized access and ensure that healthcare organizations maintain privacy and security when communicating with patients and third parties.

Can I use standard email for sending protected health information (PHI)?

Standard email services are not secure enough to send PHI unless they are HIPAA compliant. A non-compliant service can expose sensitive information to unauthorized access, leading to potential breaches. Use a HIPAA compliant email provider that encrypts data and meets all necessary privacy and security standards.

What are the risks of using non-compliant email services in healthcare?

Using non-compliant email services can expose sensitive patient data to unauthorized access, leading to potential data breaches, identity theft, and violations of HIPAA regulations. These breaches can result in fines, loss of reputation, and legal consequences.