by Rick Kuwahara COO of Paubox
Article filed in
How to make your email HIPAA compliant
by Rick Kuwahara COO of Paubox
Many healthcare providers would love to include email communication into their regular workflows, but are concerned about securing patient information to comply with HIPAA requirements.
One breach could mean huge fines that could result in a loss of reputation or even the end of operations.
But making your email HIPAA compliant doesn’t have to be complicated, it just requires planning and utilizing the right tools and processes.
Understanding how HIPAA compliance applies to email
The HIPAA Privacy Rule created, for the first time, a set of national standards for the safeguard of certain health information. It allows Covered Entities to disclose PHI to a Business Associate if they receive assurances that the Business Associate will use the information only in the scope of which it was engaged by the Covered Entity.
The HIPAA Security Rule was added to set out what safeguards must be in place to protect electronic protected health information (ePHI), which is health information that is held or transferred in electronic form.
In regards to email, this means that covered entities are required to take reasonable steps to protect PHI from their computer and as it’s transmitted electronically, all the way to the recipient’s inbox.
Once the email reaches the recipient, the obligation of the sender ends and it becomes the recipient’s job to secure any PHI they have in their inbox.
So the bottom line becomes you must protect emails with PHI on your server and while it’s in transit to the recipient.
Making your email HIPAA compliant
In order to make sure your healthcare organization has HIPAA compliant email, you need to be sure you have processes and workflows in place to insure your staff is properly trained on HIPAA compliance.
This also includes establishing written policies and training on items such as:
- Who can have access to PHI
- Making sure there are proper access controls in place
- When is it ok to send PHI and to who
- Is there consent from the patient to receive PHI via email
But you also need the right technology to be sure those procedures can be made as efficient as possible.
This is especially important to overcome human error, such as forgetting to press a button or type a password to encrypt an email. Human error accounts for the vast majority of email related HIPAA breaches and violations.
Along with policies, there are a couple technical factors to consider in making sure your email is HIPAA compliant.
The first factor is your email server.
Securing your emails “at-rest”
Any emails that sit on your server (like your inbox) is considered “at-rest” and must be secured. If you are using a third-party email server, like Google Workspace, Microsoft 365 or Microsoft Exchange, then be sure to also get a business associate agreement (BAA) with them.
It’s important to note here that popular consumer email services are NOT compliant:
- Gmail. By far, one of the most popular email providers in the world, Gmail is not HIPAA compliant. But as we went through in a previous post, you can make Gmail HIPAA compliant with a few extra steps.
- Yahoo. Another popular email provider, Yahoo is not compliant.
- GoDaddy. A lot of people use GoDaddy’s hosting service and subsequently use GoDaddy’s Microsoft 365 product, but not all Microsoft 365 email is created equal.
- Host Gator. Another popular web hosting provider that offers email hosting and is not HIPAA compliant.
- Microsoft Outlook. Just like Gmail, people often confuse a consumer Outlook email account with a business one.
This is because consumer email platforms do not sign BAA and there is no guarantee that data stored on those consumer email servers are secure, even from the vendors themselves.
Once you have a commercial email provider, if you only send email with PHI internally within your organization and it doesn’t go beyond your server, then it is likely you’re good to go and don’t need anything further. This is provided your email server is behind a secure firewall.
But what happens when email goes out.
End-to-end encryption to secure emails in transit
That’s where the second factor of end-to-end encryption is important.
Email moving from one server to another is considered “in transit” and must be secured every step of the way until it reaches the recipient’s inbox. Email encryption is how this is typically handled.
But normal email is not always secure end-to-end.
This is because normal email was created with the priority on delivering messages, not email security. Even if your email provider does secure email with TLS encryption, that doesn’t mean your message will be delivered securely.
That’s because if the recipient’s email provider doesn’t support TLS, your message will be downgraded and delivered unencrypted in clear text.
Google’s own data shows that only 87% of email sent with Gmail is delivered encrypted.
For HIPAA, 87% isn’t good enough. Only 100% encryption is acceptable.
That’s where having a third-party secure your email in transit becomes helpful.
How Paubox can help
Paubox helps insure that 100% of the emails you send are secure in transit all the way to your recipient’s inbox, but with the added benefit of making the experience seamless.
Unlike other providers, Paubox makes HIPAA compliant email behave like regular email for both senders and recipients.
Paubox’s Encrypted Email allows users to write and send emails as normal from a laptop, desktop and mobile devices. Your recipients will be able to view messages and attachments without needing to enter extra passwords, download an app, or login to a portal.
This greatly reduces the risk of accidentally sending PHI over email. It is a giant burden to have staff make a decision on whether to encrypt an email.
It can be easy to forget to press an encrypt button or type a keyword before sending an email, or simply not realizing there was PHI in an email that was sent.
For recipients, it can be a hassle to have to login to a portal or go through extra steps just to view a message. Especially when trying to view messages on a mobile device.
Even replies are automatically encrypted.
Paubox also integrates with Google Workspace, Microsoft 365 and other commercial email providers, so you don’t have to change your email address.
This ease of use doesn’t come at the expense of security.
Paubox has taken security and compliance to the next level by achieving HITRUST CSF Certification for our products:
HITRUST CSF Certified status demonstrates that our solutions have met key regulatory requirements and industry-defined requirements and is appropriately managing risk.
This achievement places Paubox in an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
At this time we believe Paubox to be the only HIPAA compliant email provider to have their solution achieve HITRUST CSF Certified status.