HIPAA compliant email communication with vendors

In 2024, Young Consulting was the victim of a ransomware attack in which more than 950,000 individuals may have had their medical insurance data exposed. The software vendor experienced technical difficulties after an unauthorized actor gained access through malware. While the company took immediate steps to remediate the situation, the lesson healthcare organizations should take away from this breach is the importance of using HIPAA compliant email communication.

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards that safeguard the privacy and security of individuals’ protected health information (PHI). The legislation applies to healthcare organizations and their business associates or vendors, that may handle PHI on behalf of providers. HIPAA compliance is a legal requirement that protects patients’ privacy and ultimately lets organizations focus on patient care.

It is up to each organization to choose HIPAA compliant vendors and to communicate with these vendors in compliance with the law. Sharing sensitive patient data with vendors by email can pose significant risks if proper security measures aren’t in place. It is best practice to use HIPAA compliant email to receive an email from a vendor.

Learn more: Best practices for healthcare organizations when partnering with vendors

What is a healthcare vendor?

HIPAA defines a business associate (vendor) as an individual or entity that performs specific functions and/or provides services on behalf of a covered entity. Healthcare organizations collaborate with different types of third-party companies to enhance their health operations. These companies directly engage with healthcare organizations to ensure smooth business operations. Undertakings of these business associates range from billing and IT support to medical equipment and software and include the following types of roles:

1. Third-party administrators (e.g., claims processors)
2. Email providers (such as Paubox Email Suite)
3. IT service providers
4. Cloud storage providers
5. Telehealth platforms
6. Electronic health record (EHR) providers
7. Insurance companies
8. Appointment scheduling software companies
9. Marketing and website providers
10. Billing companies
11. Medical transcriptionists
12. Data analytics companies
13. Lawyers, consultants, and accountants

Given these frontline duties, these companies may have to create, receive, transmit, or maintain PHI. If this is the case, they are then legally obligated to safeguard it under HIPAA. Sharing sensitive patient data with anyone can pose significant risks if proper security measures aren’t in place on both sides. Ultimately, healthcare organizations must seek out companies that are HIPAA compliant so that they can properly handle PHI.

HIPAA compliant email communication with vendors

Sharing PHI with vendors through email is often necessary but comes with risks. HIPAA email rules aim to balance effective communication with safeguarding patient privacy and data security. It’s always a best practice to err on the side of caution and ensure that any sensitive information is transmitted securely.

The act’s email regulations address various aspects of healthcare communication and safeguarding patient information. According to the U.S. Department of Health and Human Services (HHS), “The Privacy Rule allows covered health care providers to communicate electronically, such as through email . . . provided they apply reasonable safeguards when doing so.”

This is even more important if an email communication contains PHI. HIPAA Security Rule reasonable safeguards include administrative physical, and technical protections. Examples of proper security measures include (but are not limited to):

• Encryption for data at rest and transit
• Access controls
• Building, room, and equipment locks
• Email policies and procedures
• Staff training on HIPAA compliant email
• Audit trails and risk assessments
• HIPAA compliant email providers
• Email scanners for malware and/or bad attachments
• Email disposal procedures

Such protections ensure that sensitive data remains safeguarded and inaccessible by unauthorized parties.

What does vendor noncompliance with HIPAA email rules look like?

Noncompliance with HIPAA email rules can take various forms and demonstrate the different ways that vendors can show and expose PHI.

Failure to encrypt: Vendors send emails to providers that contain PHI without encrypting them first.

Insufficient access controls: Vendors don’t use multifactor authentication to secure email accounts that may contain PHI.

Lack of secure messaging systems: Vendors do not use HIPAA compliant email messaging platforms (business associates for the vendors) to send or receive PHI.

Failure to train staff: Vendors provide no training or insufficient training on HIPAA and secure email practices.

Inadequate policies and procedures: Vendors lack appropriate policies or fail to follow existing procedures for transmitting PHI in an email.

Negligent handling of PHI: Vendors carelessly include PHI in email communication, such as when sending PHI to the wrong recipient.

Vendor compromise is a well-established cybersecurity threat. In fact, 98% of organizations worldwide are connected to a third-party vendor that has been breached in the last two years. Such breaches can directly impact a healthcare organization’s ability to operate and serve patients.

Read more: Creating an effective email security policy

Receiving an email from a healthcare vendor

Before receiving PHI from a vendor in an email, verify that they have strong security practices in place. When a vendor sends you an email, require the vendor to do several things:

• Use encryption for data at rest and in transit and all attachments
• Update access controls utilized
• Perform regular risk assessments
• Ensure up-to-date policies for handling PHI and responding to breaches
• Apply the minimum necessary rule to limit shared PHI
• Use a HIPAA compliant platform
• Train staff on HIPAA legislation

And of course, don’t work with a vendor until it signs a business associate agreement (BAA) that details the third party’s commitment to protecting data. Moreover, ask the vendor about their email security measures early on. Furthermore, regularly review and update vendor security practices to address emerging threats.

Maintain open communication channels with all vendors and regularly review compliance measures. Foster a collaborative relationship to address noncompliance concerns. Unfortunately, unsecured email communication can lead to a data breach, a HIPAA violation, and even serious fines. It can also compromise patient privacy and damage an organization's reputation.

FAQs

What should I do if a vendor refuses to sign a BAA?

If a vendor refuses to sign a BAA, consider finding an alternative vendor that is willing to comply with HIPAA regulations. Sharing PHI with a vendor without a BAA puts your organization at risk of HIPAA violations and fines.

What access should vendors have to patient data?

Vendors should only have access to patient data that is necessary for their specific service provision, following the principle of least privilege.

What are the signs that a vendor’s email system has been compromised?

Signs that a vendor’s email system has been compromised can include receiving unusual or unexpected emails from the vendor, requests for sensitive information or unusual attachments, and reports from the vendor about a security incident or breach.

What rights do patients have regarding business associates handling their PHI?

Patients retain significant rights concerning their PHI. These rights include accessing their information, requesting amendments, and filing complaints if they believe their privacy rights have been violated by business associates. Business associates must respect and safeguard these rights.

Are business associates directly liable for HIPAA violations, or does liability solely rest with covered entities?

Yes, business associates can be directly held responsible for violating HIPAA rules. Changes in HIPAA regulations mean that business associates have individual accountability for compliance, facing penalties independently of covered entities. This is why business associates must implement robust privacy and security measures, recognizing their direct obligation to adhere to HIPAA standards and the potential consequences of noncompliance.