How to send HIPAA compliant email
by Sara Nguyen
Is it a HIPAA violation to email PHI?
The short answer is that it’s not a HIPAA violation to email PHI as long as you have the appropriate safeguards in place to protect it.
The HIPAA Security Rule lays out what safeguards need to be in place to protect patient data. Essentially, covered entities are required to take reasonable steps to keep PHI secure while it’s in their servers and while the email is in-transit.
Email encryption is usually the standard safeguard to protect PHI in emails. It’s not necessarily required, but HIPAA does say that if encryption is not used, “other safeguards should be applied to reasonably protect privacy.” However, there isn’t any other reasonable safeguard for email data that compares to encryption. So covered entities commonly use email encryption to protect PHI.
How does email encryption work?
Most popular email providers support email encryption, but it’s often not good enough to meet HIPAA standards. Take Gmail, for example. On average 87% of sent emails are encrypted, but HIPAA requires 100% of emails to be encrypted. The 13% of unencrypted emails is unacceptable because these emails can be hacked while in-transit.
Covered entities should consider working with a third-party email security provider to ensure that all emails have end-to-end encryption. This means that emails can only be read by the sender and recipient because encryption kept the email private while it was traveling between inboxes.
What happens if the email recipient doesn’t support email encryption?
While email encryption provides privacy, there are some email providers that don’t support encryption. This means that emails can be hacked into which causes potential HIPAA security issues. So how can covered entities protect PHI in this scenario?
Paubox Email Suite has the capability to recognize when an email is unencrypted and provide an alternative solution. Instead of receiving an unencrypted message containing PHI from their doctor, recipients who do not support encryption will get an email alerting them to click on a link to see the message in a secure HTTPS URL. Paubox Email Suite plugs into your existing email platform such as Microsoft 365 or Google Workspace and requires no change in email behavior once it’s configured.
What happens if a patient replies to an email with PHI?
One of the most common questions that a covered entity has about HIPAA compliant email is when its obligation to secure PHI ends, especially in regards to protecting patient replies to an email.
Covered entities should always ensure they are sending encrypted emails to their patients, but that’s where the obligation ends. According to the HIPAA Omnibus Rule, “Further, covered entities are not responsible for safeguarding information once delivered to the individual.”
Once a person has received an email, it becomes their responsibility to secure any PHI in their inbox, and it is their choice whether they respond with additional unencrypted PHI or not.
How can you secure different types of email?
There are other emails besides doctor-to-patient that may need encryption or to follow other HIPAA guidelines. You’ll also want to ensure that these types of emails are encrypted as well:
- In-office emails if using remote access
- Emails sent to a different healthcare professional outside your network
- Healthcare professionals using their home computers or personal email
It’s highly recommended that healthcare companies invest in a professional email address instead of using a personal or free email domain. It will make you look more professional and enables you to partner with HIPAA compliant email providers such as Paubox.
Another consideration is email marketing. Many marketing email services won’t sign a business associate agreement (BAA), which means they aren’t HIPAA compliant vendors. You’ll need to use a service like Paubox Marketing to keep PHI secure while still being able to send personalized email marketing messages directly to the inbox.
How do I secure email?
Many covered entities seem to think that a patient portal is the answer to HIPAA compliant communication. It requires a patient to log into a separate website, app, or create a new login and password to access it. The idea is that this would be a secure location for patients and healthcare professionals to communicate safely.
But patients don’t like it. By 2019, 62% of covered entities reported less than a quarter of their patients were registered for portals. It seems apparent that portals only serve to decrease patient engagement.
The biggest problem with a patient portal is that it’s not easy to use. There are too many steps for patients to communicate with their doctors, so they don’t do it at all.
Paubox Email Suite is a better option because it allows healthcare professionals and patients to directly communicate in their inboxes.
Paubox Email Suite has also achieved HITRUST CSF certification—a distinction that demonstrates our product has met key regulatory requirements to appropriately manage risk. We’re committed to ensuring that healthcare providers have access to secure email, which is why a BAA is included in all of our plans, and two-factor authentication (2FA) is required to access the customer admin panel.