How to check if an email service provider is HIPAA compliant

When healthcare organizations and covered entities decide to use third-party email service providers (ESPs) for communication, they must ensure that these ESPs are HIPAA compliant. There are ways to verify the HIPAA compliance of your chosen ESP.

Why healthcare organizations need a HIPAA compliant ESP

1. Patient data protection: Healthcare organizations deal with sensitive patient data, known as protected health information (PHI). PHI must be kept secure and confidential to comply with HIPAA regulations.
2. Legal requirements: HIPAA requires healthcare organizations to establish safeguards to protect PHI. When an ESP handles PHI on behalf of a covered entity, both parties must adhere to HIPAA's requirements.

Steps to check HIPAA compliance

1. Contact the ESP directly

Reach out to the ESP directly. Engaging in direct communication allows healthcare organizations to understand the ESP's commitment to HIPAA compliance. Here's what you should do:

• Ask relevant questions: Inquire about their HIPAA compliance policies, practices, and security measures.
• Request documentation: Ask for any documentation or materials that outline their approach to HIPAA compliance.

2. Reviewing the ESP's HIPAA documentation

Most HIPAA compliant ESPs will provide documentation on their website or upon request. This documentation is where you'll find information about their compliance. Pay attention to:

• Policies and procedures: Look for clear policies and practices regarding the handling of PHI.
• Security measures: Assess the security measures they have in place to protect PHI during storage and transmission.

3. Conducting a security assessment

Perform a thorough security assessment of the ESP's practices to ensure they align with HIPAA requirements. 

Evaluating the following:

• Encryption practices: Verify if they use encryption to protect emails and PHI to ensure you are engaging in HIPAA compliant email communication when sending emails to patients and colleagues.
• Access controls: Examine who can access PHI and how access is managed.
• Audit trails: Check if they maintain audit trails for email activities.
• Disaster recovery: Assess their disaster recovery and data backup plans.

4. Business associate agreement (BAA)

Under HIPAA, it's mandatory to have a business associate agreement (BAA) in place when an ESP handles PHI. 

Ensure that:

• The ESP is willing to sign a BAA outlining their safeguarding PHI responsibilities.
• The BAA covers all the necessary aspects of HIPAA compliance.

Related: Business associate agreement provisions

5. Independent audits and certifications

Some ESPs undergo independent audits and attain certifications related to healthcare data security. Look for:

• Certifications like HITRUST CSF.
• Any information regarding third-party audits.

Related: Is there a HIPAA certification?

6. Regular monitoring and review

Even after selecting an ESP that claims to be HIPAA compliant, maintain ongoing monitoring and review of their practices. Ensure that:

• The ESP continues to meet the terms of the BAA.
• Regular assessments of their compliance are conducted.

Selecting a HIPAA compliant third-party email service provider helps safeguard patient data.