4 min read

Rules for HIPAA compliant email communications

Picture of Tshedimoso Makhene Tshedimoso Makhene February 15, 2024

HIPAA compliant email
Rules for HIPAA compliant email communications

Email is one of the most widely used communication tools in healthcare settings. Providers use it to communicate with patients, coordinate with other clinicians, share lab results, schedule appointments, and manage administrative workflows. However, email also introduces significant risks. Without the right safeguards, it can expose protected health information (PHI) to unauthorized access, cyberattacks, or accidental disclosure.

To address these risks, the Health Insurance Portability and Accountability Act (HIPAA) provides clear guidelines on how covered entities and their business associates must manage email communications containing PHI. HIPAA email rules are designed to balance the need for fast, efficient communication with the legal and ethical obligation to protect patient privacy.

 

HIPAA and email communication

According to the US Department of Health and Human Services (HHS), “The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.” It further states that “while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.”

 

What are the HIPAA email rules?

Encryption

Any email containing PHI must be encrypted during transmission to protect it from unauthorized access. Encryption converts sensitive data into unreadable text that can only be decoded with the correct decryption key.

There are two key types of encryption relevant to HIPAA:

  • Encryption in transit: Ensures that emails cannot be intercepted and read by unauthorized parties while being sent.
  • Encryption at rest: Protects stored emails from unauthorized access if a device or server is compromised.

A HIPAA compliant email service, such as Paubox Email Suite, automatically encrypts every outbound message without requiring portals, passwords, or extra steps. This “frictionless encryption” ensures compliance and maintains a smooth user experience for both senders and recipients.

 

Access controls

“Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files,” states HIPAA.

Access to PHI should be restricted to authorized individuals only; however, only “the minimum necessary information needed to perform job functions” must be accessible. This means organizations must implement measures such as strong passwords and multifactor authentication to restrict access to unauthorized users.

 

Audit trails

HIPAA’s Technical Safeguards require that regulated entities “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

In email communication, these logs should record:

  • Who sent and received the email
  • When the communication occurred
  • Any attempted unauthorized access
  • Whether the email was successfully delivered

Audit trails can detect suspicious behavior and help when investigating incidents. During a breach investigation, logs help determine what information was exposed, how it happened, and the scope of the impact.

 

Secure messaging platforms

Use secure messaging platforms specifically designed for healthcare communication. These platforms often include built-in encryption and security features tailored to HIPAA compliance. Paubox Email Suite is a HIPAA compliant email platform that offers encrypted email services and strict access controls. 

  • Patient consent: Patients should provide consent before their PHI is transmitted via email. This consent should be documented and kept on file.
  • Training and awareness: Healthcare staff should receive training on HIPAA regulations and best practices for handling PHI, including email communication. 
  • Business associate agreements (BAAs): If you are using a third-party email service provider or other business associate to handle PHI, you must have a signed BAA in place. 
  • Secure attachments: If sending attachments containing PHI via email, ensure they are encrypted or password-protected.
  • Secure disposal: Once emails containing PHI are no longer needed, they should be securely deleted or archived following HIPAA guidelines to prevent unauthorized access.
  • Regular risk assessments: Conduct regular risk assessments to identify potential vulnerabilities in your email systems and processes. Address any weaknesses promptly to maintain compliance with HIPAA regulations.

See also: Top 12 HIPAA compliant email services

 

Obtaining and documenting patient consent

HIPAA’s Privacy Rule allows providers to email patients, even with unencrypted email, if the patient has been informed of the risks and gives permission. However, best practice is to still provide encrypted communication.

Patient consent should be:

  • Informed (the patient understands the risks)
  • Voluntary
  • Documented (stored in the patient record)
  • Revocable at any time

Documented consent helps protect organizations from liability should the patient later raise concerns about communication methods.

Read also: A guide to obtaining explicit consent

 

Business associate agreements (BAAs)

Any third-party vendor that handles PHI on your behalf is considered a business associate. This includes:

  • Email service providers
  • Cloud storage services
  • Billing companies
  • IT vendors
  • Managed service providers (MSPs)

If a third-party vendor email communication between the provider (covered entity) and the patient, and this communication contains PHI, HIPAA’s Privacy Rule states that “the covered entity include certain protections for the information in a business associate agreement.” The BAA legally obligates the business associate to follow HIPAA requirements and ensures accountability in case of a security incident.

Without a BAA, even a fully encrypted service is not HIPAA compliant.

 

Why implement HIPAA compliant email rules?

HIPAA email regulations aim to address various aspects of healthcare communication and safeguard patient information, thereby serving multiple objectives. Here is why covered entities should implement these rules:

  • Patient privacy protection: The primary goal of HIPAA email rules is to safeguard the privacy of patients by ensuring that their PHI is not improperly accessed, disclosed, or compromised during electronic communication.
  • Data security: HIPAA email rules help covered entities maintain the security of sensitive patient information transmitted via email.
  • Legal compliance: Compliance with HIPAA email rules is mandatory for covered entities and business associates under the HIPAA Privacy and Security Rules. Failure to adhere to these regulations can result in severe penalties, including fines and legal sanctions. 
  • Risk mitigation: Implementing HIPAA email rules, healthcare providers can mitigate the risks associated with electronic communication, such as data breaches, identity theft, and inadvertent disclosure of PHI. 
  • Efficient communication: While HIPAA email rules impose strict security requirements, they also aim to facilitate efficient and timely communication within the healthcare industry. 

Read more:

FAQs

What are the encryption requirements for HIPAA compliant email communication?

Healthcare organizations should implement robust encryption protocols such as Transport Layer Security (TLS) or Secure/Multipurpose Internet Mail Extensions (S/MIME) to protect PHI during transmission.

 

Can I use my personal email account to communicate with patients or colleagues in a healthcare setting?

Using personal email accounts for healthcare communication is discouraged due to security and compliance concerns. Personal email accounts may not provide the necessary encryption and security features required to protect patient information under HIPAA.

Read more: How do I make my personal email HIPAA compliant?

 

What is the difference between encrypted and secure email?

An encrypted email ensures that its contents are encoded and can only be deciphered by the intended recipient. Secure email on the other hand encompasses a broader range of security measures beyond encryption, and includes additional features, and protective measures to safeguard against various email-based threats.

Go deeper: Understanding the difference between secure and encrypted email
Send PHI securely—No portals required. The all-in-one email security suite for healthcare. HIPAA compliant email with Google and Microsoft.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.