We were recently asked a great question by a customer on having their staff share a group email account to receive and respond to requests that may contain PHI. The workflow involved a few employees checking a shared email address such as firstname.lastname@example.org. There's a lot of use cases where this can make a lot of sense, but the real question is if it is HIPAA compliant?
Sharing passwords is not HIPAA compliantThe real crux of the matter is in regards to having staff share login information for the shared account. According to the HIPAA Security Rule, this is NOT permitted:
Under the Security Rule, covered entities, regardless of their size, are required, under § 164.312(a)(2)(i) to “assign a unique name and/or number for identifying and tracking user identity.” A “user” is defined in § 164.304 as a “person or entity with authorized access.” Accordingly, the Security Rule requires covered entities to assign a unique name and/or number to each employee or workforce member who uses a system that maintains electronic protected health information (e-PHI), so that system access and activity can be identified and tracked by user. This pertains to workforce members within small or large healthcare provider offices, health plans, group health plans, and healthcare clearinghouses.
In the end, this ultimately helps covered entities be able to properly audit who is viewing, sending, and receiving email - something that is not possible if staff shares a login.
Other ways to share an inbox without sharing passwords
Even though you can't share logins or passwords, there are still other ways staff can collaborate from a group email address. One of the simplest ways is to create a distribution group in your Microsoft 365 or Google Workspace admin panel. This way you can have an email alias such as "email@example.com", and have any email that gets sent to that address be forwarded to the appropriate staff members. When staff reply to that email, they would reply as individuals, but can include the group email alias in the CC or BCC field to keep others informed. Here's instructions on how to set that up for Microsoft 365 and Google Workspace. If only a small number of staff need to access the same inbox, you can set up delegates to view and respond to emails. Keep in mind that only one person should be the owner of the original email account.
Sharing an email account is not HIPAA compliant because passwords and logins need to be assigned on an individual basis. But there are still options any organization can take to benefit from some of the workflow efficiencies by using distribution lists and email aliases.