Paubox blog: HIPAA compliant email made easy

How to make your email HIPAA compliant

Written by Farah Amod | February 14, 2024

HIPAA compliance for email communication is required to protect patients' sensitive information. You can establish a HIPAA compliant email system by implementing encryption, obtaining a BAA with your email provider, configuring your email correctly, training your staff, maintaining email retention, and obtaining patient consent. 

 

Determine the need for HIPAA compliance

The first step in making your email HIPAA compliant is to assess whether it is necessary. If you only plan to use email for internal communication within a firewall-protected network, encryption may not be required. However, if you intend to send emails containing electronic protected health information (ePHI) externally, beyond your organization's firewall, HIPAA compliance is mandated.

Read alsoWhat is ePHI?

 

Implement encryption for email

To make your email HIPAA compliant, encryption must be used. This means encrypting both the messages in transit and the stored messages. Encryption ensures that only the intended recipient and authorized personnel can access the messages, enhancing the security of ePHI.

Paubox offers a HIPAA compliant email service that ensures the confidentiality, integrity, and availability of ePHI.

Read more: How HIPAA defines confidentiality, integrity, and availability of ePHI

 

Obtain a business associate agreement (BAA) with your email provider

If you use a third-party email provider, like Paubox, obtain a business associate agreement (BAA) before sending ePHI through their service. A BAA outlines the email service provider's responsibilities. It establishes the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI.

 

Configure your email correctly

While having a BAA in place is important, it does not guarantee HIPAA compliance. Make sure you configure your email service correctly to avoid any potential violations of HIPAA rules. If you choose to use Google Workspace, which includes email, it can be made HIPAA compliant when used alongside a business subscription. However, proper configuration is necessary to ensure encryption is enabled.

Even with a business associate agreement in place with Google, you will still need to work with a HIPAA compliant email service too.

Go deeper: Why Google Workspace and Microsoft 365 aren't enough for complete HIPAA compliance

 

Develop policies and train your staff

Data breaches can occur due to human error, such as accidentally sending unencrypted emails or sharing ePHI with unauthorized individuals. To mitigate these risks, educate your staff about their responsibilities under HIPAA and provide comprehensive training on the proper use of the email service.

Read more: How to train healthcare staff on HIPAA compliance 

 

Ensure email retention

While HIPAA legislation does not specifically mention email retention, make sure to maintain a secure email archive to meet the requirements of an accounting of disclosures and legal actions. State laws may also impose retention periods for emails. To ensure compliance, consider using a secure, encrypted email archiving service instead of traditional email backups. 

 

Obtain consent from patients for email communication

Before sending emails containing ePHI, obtain consent from patients for email communication. Even if you are using a HIPAA compliant email service provider, patients must be made aware of the risks associated with email communication and provide their consent. 

 

Seek legal advice for HIPAA compliance

If you are uncertain about the requirements of HIPAA regarding email communication, it is highly recommended to consult a healthcare attorney specializing in HIPAA. They can provide guidance on your responsibilities and help ensure compliance with HIPAA regulations.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

Can a covered entity or business associate use a consumer email service provider like Yahoo or Hotmail?

A business associate agreement is required for any vendor handling or processing PHI on behalf of a covered entity or business associate. We have not found a single consumer email service that provides a BAA. Therefore, using a provider like Yahoo or Hotmail is not HIPAA compliant and should be avoided.

Read more:

 

What is an example of a HIPAA violation email?

  • Failing to use an email encryption service. 
  • Not having patient authorization for email communications, but sending them an email anyway. 
  • Including PHI in the subject line of your email. 
  • Sending an email with PHI to the wrong patient.

 

When does HIPAA liability end when sending an email?

According to HIPAA, "covered entities are not responsible for safeguarding information once delivered to the individual."
Once an encrypted email has been delivered to the recipient, the covered entity or business associate is no longer responsible.