HIPAA Compliant Email: The Definitive Guide

Last updated 1 March 2020. HIPAA compliance for email is often seen as a confusing topic. For starters, the Health Insurance Portability and Accountability Act (HIPAA) set the standard for protecting sensitive patient data.

In a nutshell, any organization dealing with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. HIPAA compliant email also falls into this scope.

This post will lay out the aspects involved in achieving compliance for email, as well the potential dangers involved for not doing so.

Organizations include Covered Entities (anyone who provides treatment, payment and operations in healthcare) and Business Associates (anyone with access to patient information and provides support in treatment, payment or operations). This also includes making sure you have HIPAA email baked in when it comes to your email service provider.

Even subcontractors, or business associates of business associates, must also be in compliance.

This is our definitive guide on HIPAA email.

What is HIPAA Compliant Email?

The HIPAA Privacy Rule created, for the first time, a set of national standards for the safeguard of certain health information. It allows Covered Entities to disclose PHI to a Business Associate if they receive assurances that the Business Associate will use the information only in the scope of which it was engaged by the Covered Entity.

The HIPAA Security Rule was added to set out what safeguards must be in place to protect electronic PHI (ePHI), which is health information that is held or transferred in electronic form.

In regards to email, this means that covered entities are required to take reasonable steps to protect PHI from their computer and as it’s transmitted electronically, all the way to the recipient’s inbox.

Once the email reaches the recipient, the obligation of the sender ends and it becomes the recipient’s job to secure any PHI they have in their inbox.

If you are using a third party to transmit or host PHI, they are required by law to sign a Business Associate Agreement (BAA) with you. The BAA establishes that certain administrative, physical and technical safeguards are in place.

While there’s no certification that makes an email provider achieve HIPAA compliant email status, meeting the requirements set by the HIPAA Privacy & Security Rules is the best place to start, along with strong technical security measures to make sure PHI is protected inbox to inbox.

Does HIPAA Require Email Encryption?

HIPAA encryption requirements are specified by two main terms — “required” and “addressable.”

Those labeled “required” must be put in place or it’s considered a failure to comply with HIPAA.

“Addressable” requirements only have to be implemented after a risk assessment has determined that encryption is needed for managing risks to PHI.

If your organization determines that encryption is not appropriate, then you must document your reasoning behind that decision and implement an equivalent solution to safeguard PHI.

As there’s not an appropriate alternative for protecting PHI other than encryption, it’s effectively required.

Not using encryption is risky for your patients’ information and your organization.

HIPAA Compliance Violations are Increasing

Over the past 10 years, the Office for Civil Rights (OCR) division within HHS has enforced violations at a blistering pace.

Hackers are targeting healthcare.
HIPAA violations tripled over 10 years. Confirmed HIPAA violations are skyrocketing. Their growth rate over the past 10 years outpaces almost any trend that comes to mind.
Stolen laptops continue to result in huge fines. In several instances, a single stolen laptop led to fines in excess of $1,000,000 from HHS.
A stolen thumb drive averages $925,000 in HIPAA fines. Since 2012, it costs an average of $925,000 in HIPAA fines for a single stolen thumb drive.
Stolen office computers can be subject to fines too. Even a computer that never leaves your office can still be subject to a costly fine due to a HIPAA Privacy Act violation.
Unpatched and unsupported software can also lead to fines.
Accidental and non-malicious internal threats are increasing as well.

HIPAA Breaches: Email Leads the Way

Our research reveals there were a total of 418 HIPAA breaches reported to HHS in 2019.

Of those breaches, Email was by far the number one threat vector.

In fact, 39% of all HIPAA Breaches in 2019 were via Email.

Source: 2019 HIPAA Breach Report: A Year in Review

How to Make Your Email HIPAA Compliant

In order to make sure your organization has HIPAA Compliant Email, you need to be sure you have processes and workflows in place to ensure your staff is properly trained on HIPAA compliance.

But you also need the right technology to be sure those procedures can be made as efficient as possible.

This is especially important to overcome human error, such as forgetting to press a button or type a password to encrypt an email. Human error accounts for the vast majority of email related HIPAA violations.

Popular consumer email providers are NOT compliant:

Gmail. By far, one of the most popular email providers in the world, Gmail is not HIPAA compliant. But as we went through in a previous post, you can make Gmail HIPAA compliant with a few extra steps.
Yahoo. Another popular email provider, Yahoo is not compliant.
GoDaddy. A lot of people use GoDaddy’s hosting service and subsequently use GoDaddy’s Office 365 product, but not all Office 365 email is created equal.
Host Gator. Another popular web hosting provider that offers email hosting and is not HIPAA compliant.

This is because normal email was created with the priority on delivering messages, not security. Even if your email provider does secure email with TLS encryption, that doesn’t mean your message will be delivered securely.

That’s because if the recipient’s email provider doesn’t support TLS, your message will be downgraded and delivered unencrypted in clear text.

Google’s own data shows that only 87% of email sent with Gmail is delivered encrypted.

For HIPAA, 87% isn’t good enough. Only 100% encryption is acceptable.

Further Reading: How to Make Your Email HIPAA Compliant

Not sure what to do next? Try Paubox for FREE and make your email HIPAA compliant today.

Start Your Free Trial

HIPAA Compliant Email and the Business Associate Agreement

It’s important to understand a crucial piece of HIPAA when it comes to vendors providing HIPAA compliant email service to organizations: The Business Associate Agreement (BAA).

A BAA is a written contract between a Covered Entity and a Business Associate. It is required for HIPAA compliance. In this case, the Business Associate would be the vendor(s) that host your email and/or encrypt its transmission.

If you are a Covered Entity or Business Associate entrusting PHI to a third party like an email vendor, then a BAA is required by law. At a minimum, there are 10 provisions that must be covered by a BAA.

Read full article: Business Associate Agreement Provisions

HITRUST CSF Certification: The Gold Standard for HIPAA Compliance

When evaluating a HIPAA Compliant Email vendor, it’s highly recommended you inspect their stance on safeguarding sensitive information and their ability to manage information risk.

Although there isn’t a formal HIPAA certification issued by HHS, the HITRUST CSF certification is widely regarding as the closest thing to it.

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.

In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.

In summary, it’s widely agreed that HITRUST CSF is the gold standard of security certifications in healthcare.

Best HIPAA Compliant Email Providers

Perhaps the most difficult step is next – trying to sort through the noise and pick a HIPAA compliant email provider.

Some factors you want to consider:

Is the service really HIPAA compliant?
How easy is it to use?
Does it integrate with your existing IT setup?
Does it require new workflows?
How is customer support?
Are there hidden costs?

The Easiest Way to Send and Receive HIPAA Compliant Email

Paubox can help you protect your patients’ data while providing it to them in a way that’s easy to access. We are able to do this because we believe in the term ‘seamless encryption.’

Seamless encryption is about providing the expected benefit – HIPAA compliant email – without asking senders or recipients to change behavior.

This greatly reduces the risk of accidentally sending PHI over email. It is a giant burden to have staff make a decision on whether to encrypt an email.

It can be easy to forget to press an encrypt button or type a keyword before sending an email, or simply not realizing there was PHI in an email that was sent.

For recipients, it can be a hassle to have to login to a portal or go through extra steps just to view a message. Especially when trying to view messages on a mobile device.

Paubox’s Encrypted Email allows users to write and send emails as normal from a laptop, desktop and mobile devices. Your recipients will be able to view messages and attachments without needing to enter extra passwords, download an app, or login to a portal.

Even replies are automatically encrypted.

Paubox also integrates with G Suite, Office 365 and other commercial email providers, so you don’t have to change your email address.

Even better, Paubox’s HIPAA compliant email solution gives you the option to add on robust SPAM, virus, ransomware and phishing protection. Phishing scams are still the most common way email gets hacked and continues to lead to HIPAA violations.

Business Associate Agreements are available with all paid accounts, no minimum number of users required.

HIPAA Compliance for Paubox products

Paubox has taken security and compliance to the next level by achieving HITRUST CSF Certification for our products:

✔ Paubox Encrypted Email
✔ Paubox Email API
✔ Inbound Security
✔ Email DLP Suite

HITRUST CSF Certified status demonstrates that our solutions have met key regulatory requirements and industry-defined requirements and is appropriately managing risk.

This achievement places Paubox in an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.

At this time, we believe Paubox to be the only HIPAA compliant email provider to achieve HITRUST CSF Certified status.

Not sure what to do next? Try Paubox for FREE and make your email HIPAA compliant today.

Start Your Free Trial

Additional Resource: U.S. Department of Health and Human Services

Looking for HIPPA Compliant Email?

People often get confused between HIPAA email and HIPPA email. HIPAA is commonly misspelled as HIPPA and it’s easy to mistakenly google for “HIPPA compliant email” or “HIPPA email.” Google however, is smart enough to know the correct spelling and will point you to the right pages by default. In a nutshell, “HIPPA compliant email” or “HIPPA email” are not correct. “HIPAA compliant email” or “HIPAA email” are the correct search terms.