Last updated 11 May 2021. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) set the standard for protecting sensitive patient data. HIPAA compliance for email is often seen as a confusing topic.
In a nutshell, any organization dealing with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. HIPAA compliant email falls into this scope.
This post will lay out how to achieve HIPAA compliance for email, as well as the potential dangers involved in not doing so.
Organizations subject to HIPAA include covered entities (any company that provides treatment, payment, or healthcare operations) and business associates (any company with access to PHI that provides support for covered entities). Even subcontractors (i.e. business associates of business associates) must be in compliance.
This is our definitive guide on HIPAA complaint email.
What is HIPAA compliant email?
In 2000 the HIPAA Privacy Rule created for the first time a set of national standards for safeguarding certain health information. It allows covered entities to disclose PHI to a business associate if it receives assurances that the business associate will use the information only within the scope in which it was engaged by the covered entity.
The HIPAA Security Rule was added in 2003 to set out what safeguards must be in place to protect electronic PHI (ePHI), which is health information that is held or transferred in electronic form.
In regards to email, covered entities are required to take reasonable steps to protect ePHI as it’s transmitted electronically all the way to the recipient’s inbox.
Once the email reaches the recipient, the obligation of the sender ends, and it becomes the recipient’s job to secure any PHI they have in their inbox.
If you are using a third party to transmit or host ePHI, the company is required by law to sign a business associate agreement (BAA) with you. A BAA establishes that certain administrative, physical and technical safeguards are in place to protect patient data.
While there’s no certification that makes an email provider HIPAA compliant, meeting the requirements set by the HIPAA Privacy & Security Rules is the best place to start, along with ensuring strong technical security measures to make sure ePHI is protected inbox to inbox.
Does HIPAA require email encryption?
HIPAA encryption requirements are specified by two main terms—required and addressable.
Encryption protocols labeled required must be put in place or else you are considered out of HIPAA compliance.
Addressable encryption protocols only have to be implemented if a risk assessment has determined that encryption is needed to manage risks to ePHI.
If your organization determines that encryption is not required, then you must document your reasoning behind that decision and implement an equivalent solution to safeguard ePHI.
However, as there’s no appropriate alternative for protecting ePHI in an email other than encryption, it’s effectively required.
Not using email encryption is risky for your patients’ information and your organization.
HIPAA violations are increasing
Over the past 15 years, the Office for Civil Rights (OCR) division within The US Department of Health & Human Services (HHS) has enforced violations at a blistering pace.
- HIPAA violations have tripled over the past 15 years. HIPAA violations are skyrocketing. Their growth rate outpaces almost any trend that comes to mind.
- Hackers are targeting healthcare more than ever, and the threat has only increased during the coronavirus pandemic.
- Ransomeware attacks are surging globally, including in the healthcare sector.
- Stolen laptops can result in huge fines. In several instances, a single stolen laptop cost a healthcare provider over $1,000,000.
- A stolen thumb drive averages a HIPAA fine of $925,000.
- Stolen office computers can be subject to fines too. Even a computer that never leaves your office can cost you money.
- Unpatched and unsupported software can also lead to fines.
- Accidental and non-malicious internal threats are increasing as well.
- The HIPAA Right of Access Initiative, launched in 2020, has led to significant fines for not providing patients the required “right of access” to their own health records.
HIPAA breaches: email leads the way
Our research reveals there were a total of 505 HIPAA breaches reported to HHS in 2020, up from 418 in 2019.
Of those breaches, email was by far the number one threat vector.
In fact, 37% of all HIPAA breaches in 2020 occurred via email.
How to make your email HIPAA compliant
In order to maintain HIPAA compliance, any email you send containing ePHI must be encrypted.
Ensure that your staff is properly trained on HIPAA compliance, and leverage the right technology to overcome human error, such as forgetting to press a button or type a password to encrypt an email. Human error accounts for the vast majority of email-related HIPAA violations.
These popular consumer email providers are NOT compliant:
- Gmail. By far, one of the most popular email providers in the world, Gmail by itself is not HIPAA compliant. But you can make Gmail HIPAA compliant with a few extra steps.
- Yahoo. Another popular email provider, Yahoo is not compliant.
- GoDaddy. A lot of people use GoDaddy’s hosting service and subsequently use GoDaddy’s Microsoft 365 product, but not all Microsoft 365 email is created equal.
- Host Gator. Another popular web hosting provider that offers email hosting and is not HIPAA compliant.
Normal email was created with the priority focused on delivering messages, not security. Even if your email provider does secure email with TLS encryption, this doesn’t mean your message will be delivered securely.
That’s because if the recipient’s email provider doesn’t support TLS, your message will be downgraded and delivered unencrypted in clear text.
See Also: What Happens When a Paubox Email Recipient Doesn’t Support Encryption?
Google’s own data shows that only 90% of email sent with Gmail is delivered encrypted.
For HIPAA compliance, 90% isn’t good enough. Only 100% encryption is acceptable.
Further Reading: How to Make Your Email HIPAA Compliant
HIPAA compliant email and the business associate agreement
It’s important to understand a crucial piece of HIPAA when it comes to vendors providing HIPAA compliant email service to organizations: The business associate agreement (BAA).
If you are a covered entity or business associate entrusting PHI to a third party like an email vendor, then a BAA is required by law. At a minimum, there are 10 provisions that must be covered by a BAA.
HITRUST CSF certification: the gold standard for HIPAA compliance
When evaluating a HIPAA compliant email vendor, it’s highly recommended you inspect its stance on safeguarding sensitive information and its ability to manage risk.
Although there isn’t a formal HIPAA certification issued by HHS, the HITRUST CSF certification is widely regarded as the closest thing to it.
Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.
In summary, it’s widely agreed that HITRUST CSF is the gold standard of security certifications in healthcare.
The best HIPAA compliant email providers
Perhaps the most difficult step is next—trying to sort through the noise and pick a HIPAA compliant email provider.
Some factors you want to consider:
- Is the service really HIPAA compliant?
- How easy is it to use?
- Does it integrate with your existing IT setup?
- Does it require new workflows?
- How is customer support?
- Are there hidden costs?
See Also: Best HIPAA Compliant Email Providers
The easiest way to send and receive HIPAA compliant email
Paubox protects your patients’ data while still providing it to them in a way that’s easy to access. We are able to do this because we believe in seamless encryption.
Seamless encryption is about providing the expected benefit—HIPAA compliant email—without asking senders or recipients to change their behavior.
It is a giant burden to have staff make a decision on whether to encrypt an email. Encrypting email by default eliminates the risk of accidentally sending unencrypted PHI over email.
It can be easy to forget to press an encrypt button or type a keyword before sending an email, or simply not realize that there is ePHI in an email before sending it.
For recipients, it is a hassle to log into a portal or go through extra steps just to view a message, especially when trying to view messages on a mobile device.
Further Reading: Why Email Is Better than Patient Portals
Paubox Email Suite allows users to write and send HIPAA compliant email as normal from a laptop, desktop or mobile device. Your recipients view messages and attachments without needing to enter extra passwords, download an app, or log into a portal.
Paubox also integrates with Google Workspace, Microsoft 365 and other commercial email providers, so you don’t have to change your email address.
Even better, our Plus and Premium subscriptions add on robust spam, virus, ransomware and phishing protection. Phishing scams are still the most common way email gets hacked and continue to lead to HIPAA violations.
Paubox provides a BAA to all customers, with no minimum number of users required.
HIPAA compliance for Paubox products
Paubox has taken security and compliance to the next level by achieving HITRUST CSF certification for all our products:
✔ Paubox Email Suite for standard email
✔ Paubox Email Suite Plus with inbound security
✔ Paubox Email Premium with inbound security, email archiving and DLP
✔ Paubox Email API for transactional email
✔ Paubox Marketing for HIPAA compliant email marketing
HITRUST CSF certified status demonstrates that our solutions have met key regulatory and industry-defined requirements and are appropriately managing risk.
This achievement places Paubox in an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF certification helps organizations address compliance challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
Looking for HIPPA compliant email?
People often get confused between HIPAA email and HIPPA email. HIPAA is commonly misspelled as HIPPA and it’s easy to mistakenly google for “HIPPA compliant email” or “HIPPA email.” Google however, is smart enough to know the correct spelling and will point you to the right pages by default. In a nutshell, “HIPPA compliant email” or “HIPPA email” are not correct. “HIPAA compliant email” or “HIPAA email” are the correct search terms.