Coordinating with vendors using HIPAA compliant email

HIPAA recognizes that healthcare providers rarely operate in isolation. Instead, they rely heavily on third-party vendors, termed business associates, to perform critical functions involving PHI. According to the U.S. Department of Health & Human Services (HHS), a business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. 

“If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules,” says the HHS. Furthermore, the HHS states that “By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.

Read also: HIPAA compliant email communication with vendors

The legal framework 

HIPAA’s Privacy Rule and Security Rule set clear standards:

• Privacy Rule: Protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media.
• Security Rule: Specifies a series of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI).

A failure to comply can lead to severe consequences. The HHS’ Office for Civil Rights (OCR) enforces HIPAA regulations and levies fines for violations. 

Real-world implications

In 2015, TransUnion conducted a survey that included 1,228 U.S. healthcare consumers. The survey found that 65% of patients said they would avoid providers that had experienced a data breach. Furthermore, younger patients (ages 18–34) were particularly inclined to switch providers, with 73% indicating they would. Conversely, 64% of those over 55 said they likely would not. According to Gerry McCarthy, president of TransUnion Healthcare, “Older consumers may have long-standing loyalties to their current doctors, making them less likely to seek a new healthcare provider following a data breach. However, younger patients are far more likely to at least consider moving to a new provider if there is a data breach.”

What is HIPAA compliant email?

HIPAA compliant email is designed to meet the requirements of the HIPAA Privacy Rule and Security Rule. A compliant solution typically includes:

• Encryption (both in transit and at rest)
• Access controls and authentication (e.g., multi-factor authentication)
• Audit logs to track email activity
• Secure data storage
• Business associate agreement (BAA) with the email service provider

Free or consumer-grade email services, like Gmail, Yahoo, or Outlook.com, are not inherently HIPAA compliant. Even Gmail or Microsoft 365 can only be used for HIPAA purposes if properly configured and covered by a BAA.

Common vendor scenarios that require HIPAA compliant email

Healthcare providers coordinate with a wide range of vendors. Below are some common examples where HIPAA compliant email is essential:

Medical billing and coding services

Billing companies receive patient names, insurance details, diagnoses, and treatment codes, all of which are PHI. Emails requesting clarification or resolving claims must be secured.

IT and cloud service providers

IT vendors often troubleshoot systems with access to EHRs or backups. Email exchanges may include login credentials or screenshots showing PHI.

Medical device vendors

Communicating about device installation or data downloads from a pacemaker, glucose monitor, or imaging machine can expose PHI.

Transcription services

Physicians may email audio files to transcriptionists or receive transcribed reports back. Without an encrypted email, these files can be intercepted.

Telehealth and app developers

Vendors who provide patient-facing apps or telemedicine tools often require coordination about patient data integration. Communicating with these vendors will require HIPAA compliant email if PHI is involved.

Best practices for using HIPAA compliant email with vendors

• Sign a business associate agreement (BAA): Before sharing any PHI, ensure that the vendor has signed a BAA. This legal contract confirms that the vendor understands its HIPAA responsibilities.
• Use encrypted email platforms: Ensure that both your organization and the vendor are using HIPAA compliant email solutions. This might include secure email portals or plug-ins that add encryption to Outlook or Gmail. Other solutions include the usage of email providers specifically made for healthcare communication such as Paubox.
• Limit PHI to what is necessary: Even in encrypted emails, avoid oversharing. Use minimum necessary data—only what the vendor needs to fulfill their duties.
• Verify email addresses carefully: Misaddressed emails are a common cause of breaches. Double-check that the recipient’s address is correct before sending PHI.
• Train staff and vendors: Ensure that internal staff and external vendors understand how to use secure email and recognize what constitutes PHI.

Using Paubox to coordinate with vendors

When it comes to sending HIPAA compliant email, Paubox stands out as a trusted solution designed specifically for healthcare. Unlike many email security platforms that rely on cumbersome portals or require patients and vendors to log in to retrieve messages, Paubox offers a seamless encryption experience where emails arrive directly in the recipient’s inbox, fully encrypted, without sacrificing usability.

Why Paubox is ideal for vendor communication

Healthcare organizations frequently interact with vendors that vary in technical capacity, compliance readiness, and infrastructure. Paubox removes barriers to secure communication and provides an easy-to-use, secure platform that both providers and vendors can adopt quickly.

Here’s how Paubox supports vendor coordination:

• Automatic encryption: Every outbound message is automatically encrypted without requiring extra steps or plugins. This ensures that all emails, whether they contain PHI or not, are protected, which reduces the risk of human error.
• No portals or passwords: Many encryption tools require recipients to log into a portal to view secure messages. With Paubox, vendors receive encrypted emails directly in their inboxes, improving efficiency and adoption.
• Business associate agreement (BAA): Paubox offers a fully signed BAA, a HIPAA requirement for any email provider handling PHI. This ensures that your organization is meeting compliance standards from the start.
• Secure API for app developers and tech vendors: For vendors building telehealth apps, patient portals, or EHR integrations, Paubox offers secure API options that facilitate encrypted, HIPAA compliant message delivery.
• Compatibility with major platforms: Whether you're using Google Workspace, Microsoft 365, or another email client, Paubox integrates without disrupting existing workflows. This makes it easy to extend secure communication to vendors, regardless of your current infrastructure.
• Audit logging and admin tools: Administrators can track email activity, manage compliance documentation, and monitor communications, which is required for maintaining accountability when working with external partners.

FAQS

Is HIPAA compliant email required for every vendor interaction?

No. HIPAA compliant email is only required when PHI is involved. If you’re discussing non-sensitive topics (like pricing, scheduling a meeting, or sharing generic documents), you do not need to use secure email, though it’s still a best practice to use secure channels whenever possible.

Do vendors also need to use HIPAA compliant email when responding to providers?

Yes. If vendors are replying to messages that contain PHI or are initiating communication that involves PHI, they are equally responsible for using HIPAA compliant email.