While the Security Rule doesn't explicitly require email to be encrypted, using unencrypted email to transmit protected health information (PHI) can be a violation of the Security Rule.
An unencrypted email with PHI could be accessed by unauthorized individuals, which is a HIPAA violation.
What is unencrypted email?
Unencrypted email is a method of transmitting electronic messages that does not use encryption to protect the content of the message. When a message is sent via unencrypted email, the contents of the message are transmitted in plain text, which means that anyone who intercepts the message can read its contents.
HIPAA regulations for email
HIPAA mandates privacy and security standards, necessitating safeguards to protect PHI from unauthorized access or disclosure. Covered entities must implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of PHI.
Encryption transforms the content of an email message into an unreadable format using complex algorithms, making it significantly more difficult for unauthorized individuals to access and decipher PHI. Although encryption is not explicitly required, it is considered a best practice and strongly encouraged to ensure HIPAA compliant email communication.
Related: Do emails have to be encrypted for HIPAA?
Why unencrypted email violates HIPAA
Using unencrypted email to transmit PHI can be a violation of HIPAA's Security Rule. The Security Rule requires covered entities and business associates to implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. Unencrypted email is considered an unsecured method of transmitting PHI because it can be intercepted and read by unauthorized individuals.
Related: What violates HIPAA in email?
The potential risks of unencrypted emails
Unencrypted email poses vulnerabilities that can compromise the privacy and security of PHI. When PHI is transmitted via unencrypted email, it becomes susceptible to interception during transit. Hackers or unauthorized individuals can potentially access the email's content, exposing sensitive patient information. These risks can lead to severe consequences, including breaches of patient confidentiality and potential legal liabilities.
Ensuring HIPAA compliance
Covered entities should adopt secure email platforms, like Paubox Email Suite, and services that employ encryption protocols. These platforms ensure that emails containing PHI are encrypted both during transit and at rest, providing an extra layer of security. Additionally, employees should be trained to identify potential risks, such as phishing attempts, and follow secure email practices.
Using unencrypted email to transmit PHI can be a violation of HIPAA's Security Rule. Covered entities and business associates should assess the risks associated with using unencrypted email to send PHI and implement appropriate safeguards to protect it.
Liyanda Tembani
