The anatomy of a HIPAA compliant email

Email breaches were the second most common type of breach in 2024, impacting 109,663 individuals. Healthcare organizations must understand that the anatomy of a HIPAA compliant email is meticulously designed to protect against potential vulnerabilities.

What is a HIPAA compliant email?

A HIPAA compliant email uses a combination of multiple layers of security as dictated by the Privacy and Security Rules of HIPAA. Based on the Privacy Rule, for an email to be HIPAA compliant it must only be able to be accessed and disclosed by authorized people. This means that safety measures should be in place throughout the emailing process to ensure that no unauthorized access occurs. 

“The HIPAA Security Rule specifies a series of administrative, technical, physical, and organizational security standards to ensure the confidentiality and security of electronic PHI. While the technical and physical safeguards address significant information security conditions, such as data integrity, user authentication systems, and transmission security, the administrative safeguards require significant organizational changes such as security awareness and training, security incident procedures, contingency planning, and business associate contracts.” As discussed in the ASA article, the Security Rule sets in place the specific measures that protect this email, from using encryption to implementing access controls. 

The superficial components of a HIPAA compliant email

1. Subject line: It should be general and not contain PHI. The aim is to avoid disclosing sensitive information at a glance, keeping the subject line informative yet privacy-conscious.
2. Sender verification: The email system must authenticate the sender's identity, ensuring that the email originates from a verified source. 
3. Recipient verification: Similar to sender verification, the system must authenticate the identity of the recipient(s) to ensure that only authorized individuals can access the PHI contained within the email.
4. Body of the email: The content should be encrypted to protect any PHI it contains. Encryption ensures that the information remains unreadable to unauthorized parties even if the email is intercepted.
5. Attachments: Any files containing PHI sent via email must also be encrypted. 
6. Signature block: Often includes disclaimers about confidentiality and instructions on what to do if an unintended recipient receives the email. 
7. Encryption indicators: Some systems include visual indicators that an email is encrypted, reassuring both sender and recipient about the security of the information transmitted.
   
   

A more in-depth look at compliance

The basic behind-the-scenes measures to make sure that emails remain HIPAA compliant include: 

• Use mechanisms to allow only authorized individuals to access PHI. This can take the form of unique user identification, emergency access procedures, and automatic log-off features to prevent unauthorized access (164.312(a)(1)).
• Audit trails allow for a record of who has accessed what information and when. This component monitors, detects, and investigates unauthorized access (164.312(b)).
• Invest in authentication procedures to ensure that the person accessing PHI is who they claim to be (164.312(d)).
• Use integrity controls to protect PHI from improper alteration or destruction. Digital signatures or checksums can verify that the content has not been altered during transmission (164.312(c)(1)).
• When dealing with HIPAA compliant email service providers make sure there is a business associate agreement (BAA) in place. BAAs ensure that business associates comply with HIPAA requirements and protect the PHI (45 CFR 164.308(b)(1)).
• Data recovery methods ensure that copies of all emails containing PHI are backed up and can be recovered in case of a data loss event. This is part of the contingency planning standard (164.308(a)(7)) so that PHI is available after an emergency.
• Implement email archiving to store PHI for a set period, complying with HIPAA's retention requirements and allowing for easy retrieval during audits or investigations.

See also: Top 10 HIPAA compliant email services

FAQs

Are all email providers HIPAA compliant?

Not all email providers are HIPAA compliant.

Does every email a healthcare provider sends need to be HIPAA compliant?

Not every email a healthcare provider sends needs to be HIPAA compliant, only those that contain or have the potential to expose PHI.