Do internal memos need to be sent through HIPAA compliant email?

An article from The Health Care Manager provided in its conclusion the connection between effective internal communication and patient care, “It was concluded that continuous exchange of information among health care professionals, together with learning and shared decision making or a positive emotional climate…” 

According to the Health Insurance Portability and Accountability Act (HIPAA), the requirement for using HIPAA compliant email is directly tied to the presence of protected health information (PHI) within the communication. If an internal memo contains PHI, defined as any individually identifiable health information that relates to the health status, provision of healthcare, or payment for healthcare, then it must be transmitted using a secure, HIPAA compliant channel. 

This is a legal obligation, as HIPAA’s Security Rule mandates the protection of electronic PHI (ePHI) during transmission, regardless of whether the communication is internal or external. However, if the internal memo does not contain PHI, HIPAA does not require the use of a compliant email channel for that specific message. That said, the line between what does and does not constitute PHI can be blurry in practice, and human error is a leading cause of breaches. As a result, some organizations choose to default to HIPAA compliant channels for all internal communications to minimize risk and ensure consistent protection.

A general look at HIPAA’s email requirements 

HIPAA’s requirements for email communications are primarily found within the Security Rule, which is codified at 45 CFR Part 164, Subpart C. A chapter from Capturing Social and Behavioral Domains and Measures in Electronic Health Records: Phase 2 noted on the the primary sections of HIPAA that relate to email communications, “The Privacy Rule establishes the rules governing the use and disclosure of identifiable health information in either paper or electronic format (otherwise known as protected health information or PHI) by covered entities; 

the Security Rule establishes the security safeguards to be adopted to protect electronic identifiable health information (otherwise known as ePHI).” These requirements collectively mean that any email containing PHI must be sent in a manner that ensures only authorized recipients can access the information.

Why internal memo’s have to be secure

The rationale for securing internal memos begins with the nature of the information they may contain. A study titled notes the reason behind securing communications , “Patients must feel assured that their personal and medical information is kept confidential and only shared with those who need to know.” Even when a memo is not explicitly about a patient, it can reference schedules, protocols, or incidents that, when combined with other data, could reveal sensitive details. Healthcare organizations are disproportionately targeted by cybercriminals due to the high value of medical data and the complexity of healthcare operations. However, external hackers are only part of the problem. Insider threats, whether malicious or simply negligent, account for a large proportion of data breaches in healthcare. 

Employees with legitimate access to information may inadvertently send a memo to the wrong recipient, fail to recognize the sensitivity of its contents, or fall victim to phishing attacks that compromise entire systems. In fact, a vast majority of compromised health records result from poor human security practices, with unintentional factors such as misaddressed emails or lack of awareness playing a leading role. 

The problem with insider threat

Insider threats are a prominent issue in the U.S. An example of this is when a Texas hospital where an insider named Jesse McGraw created a botnet using the hospital’s network, compromising dozens of medical devices, including nursing stations that stored patient records. McGraw even hacked the hospital’s HVAC system, threatening the integrity of temperature-sensitive medications and patient safety during a hot summer period. After pleading guilty, he received a nine-year prison sentence and fines. 

Another example is the Stradis Healthcare incident, where a furloughed employee, Christopher Dobbins, retaliated by creating a secret account to access and delete shipping information, delaying shipments of personal protective equipment during a critical time. This attack disrupted supply chains and showed how disgruntled insiders can cause operational havoc.

These insider actions compromise patient privacy and jeopardize intellectual property and competitive advantage. Insider threats can be both malicious and accidental; healthcare staff may unintentionally expose data through credential misuse or fall victim to phishing attacks that grant external attackers access via compromised internal accounts. 

Best practices to always send HIPAA compliant email

1. Always use a HIPAA compliant email service that provides secure encryption. Encryption should be applied both in transit and at rest to protect the data from unauthorized access at all stages.
2. Keep your email systems and related software up to date with the latest security patches and updates. This helps protect against vulnerabilities that could be exploited by hackers.
3. Implement an email archiving solution that complies with HIPAA standards. This allows for all emails to be stored securely and retrieved for compliance purposes.
4. Regularly monitor and audit email activity to detect any unauthorized access or potential breaches. Use automated tools to flag suspicious behavior and investigate anomalies promptly.
5. Use email filtering and anti malware solutions to prevent malicious emails from reaching your inbox. It reduces the risk of phishing attacks and malware infections that could compromise PHI.
6. Develop clear policies for email usage, including guidelines for handling PHI, using encryption, and reporting security incidents.
7. Deploy DLP tools to automatically detect and prevent the unauthorized sharing of PHI via email. These tools can scan email content and attachments for sensitive information and block or encrypt emails that contain PHI.
8. If you use third party email services, ensure they are HIPAA compliant and that you have a signed business associate agreement (BAA) in place. This agreement legally binds the third party to comply with HIPAA regulations regarding the handling of PHI.

See also: Top 12 HIPAA compliant email services

FAQs

What is internal communication?

Internal communication is the exchange of information, messages, and updates within an organization among its employees.

Where can I find more information on HIPAA compliant email practices?

You can find more information on HIPAA compliant email practices on the official Health and Human Services (HHS) website and through your organization's compliance resources.

How can employees recognize PHI in their communications?

Employees should be trained to recognize PHI, which includes any information that can identify a patient and their health conditions, treatments, or payments.