Many healthcare providers would love to include email communication into their regular workflows, but are concerned about securing patient information to comply with HIPAA requirements. One breach can mean huge fines that result in a loss of reputation or even the end of operations.
The good news for providers is sending HIPAA compliant email can be . It just requires planning and utilizing the right tools and processes.
Understanding how HIPAA compliance applies to email
The HIPAA Privacy Rule created, for the first time, a set of national standards for the safeguard of certain health information. HIPAA allows Covered Entities to disclose PHI to a Business Associate if they receive assurances that the Business Associate use the information only in the scope of which it was engaged by the Covered Entity. The HIPAA Security Rule was added to set out what safeguards must be in place to protect electronic protected health information ( ePHI), which is health information that is held or transferred in electronic form. In regards to email, this means that covered entities are required to take reasonable steps to protect PHI from their computer and as it’s transmitted electronically, all the way to the recipient’s inbox. Once the email reaches the recipient, the obligation of the sender ends and it becomes the recipient’s job to secure any PHI they have in their inbox. So the bottom line becomes you must protect emails with PHI on your server and while it's in transit to the recipient.
Making your email HIPAA compliantIn order to make sure your healthcare organization has HIPAA compliant email, processes and workflows need to be in place. Keeping your staff properly trained on HIPAA compliance is key as well. This also includes establishing written policies and training on items such as:
- Who can have access to PHI
- Making sure there are proper access controls in place
- When is it ok to send PHI and to who
- Is there consent from the patient to receive PHI via email
But you also need the right technology to be sure those procedures can be made as efficient as possible. This is especially important to overcome human error, such as forgetting to press a button or type a password to encrypt an email. Human error accounts for the vast majority of email related HIPAA breaches and violations. Along with policies, there are a couple technical factors to consider in making sure your email is HIPAA compliant. The first factor is your email server.
Securing your emails "at-rest"Any emails sitting on your server (like your inbox) is considered "at-rest" and must be secured. If you are using a third-party email server, like Google Workspace, Microsoft 365 or Microsoft Exchange, then be sure to also get a business associate agreement (BAA) with them. It's important to note here that popular consumer email services are NOT compliant:
- Gmail. By far, one of the most popular email providers in the world, Gmail is not HIPAA compliant. But as we went through in a previous post, you can make Gmail HIPAA compliant with a few extra steps.
- Yahoo. Another popular email provider, Yahoo is not compliant.
- GoDaddy. A lot of people use GoDaddy’s hosting service and subsequently use GoDaddy’s Microsoft 365 product, but not all Microsoft 365 email is created equal.
- Host Gator. Another popular web hosting provider that offers email hosting and is not HIPAA compliant.
- Microsoft Outlook. Just like Gmail, people often confuse a consumer Outlook email account with a business one.
This is because consumer email platforms do not sign BAA and there is no guarantee that data stored on those consumer email servers are secure, even from the vendors themselves. Once you have a commercial email provider, if you only send email with PHI internally within your organization and it doesn't go beyond your server, then it is likely you're good to go and don't need anything further. This is provided your email server is behind a secure firewall. But what happens when email goes out.
Encryption to secure emails in transit
As email moves from one server to another it is considered "in transit." It must be secured every step of the way until it reaches the recipient's inbox. This process is typically handled with email encryption. But normal email is not always secure. This is because normal email was created with the priority on delivering messages, not email security. Even if your email provider does secure email with TLS encryption, that doesn’t mean your message will be delivered securely. That’s because if the recipient’s email provider doesn’t support TLS, your message is downgraded and delivered unencrypted in clear text. Google’s own data shows that only 87% of email sent with Gmail is encrypted. For HIPAA, 87% isn’t good enough. Only 100% encryption is acceptable. That's where having a third-party secure your email in transit becomes helpful.
How Paubox can help make email HIPAA compliant
Paubox helps insure that 100% of the emails you send are secure in transit all the way to your recipient's inbox. It's a seamless and stress-free experience. Unlike other providers, Paubox makes HIPAA compliant email behave like regular email for both senders and recipients. Paubox’s Encrypted Email allows users to write and send emails as normal from a laptop, desktop and mobile devices. Your recipients will be able to view messages and attachments without needing to enter extra passwords, download an app, or login to a portal. This greatly reduces the risk of accidentally sending PHI over email. It is a giant burden to have staff make a decision on whether to encrypt an email. It can be easy to forget to press an encrypt button or type a keyword before sending an email. Sometimes a use may not realize certain information is PHI as well.