The risks of shared email inboxes in healthcare practices

Healthcare providers should be aware of the risks associated with shared email accounts because they handle sensitive patient information subject to strict privacy regulations like HIPAA. Shared email accounts can compromise data security, violate regulatory requirements, and expose patient information to unauthorized access or breaches.

What is a shared email account or inbox?

A shared email account or inbox that multiple users or team members have access to, allows them to send, receive, and manage emails collectively. While it can be convenient for teams to collaborate and handle incoming messages, shared emails can pose security and privacy risks, particularly when handling sensitive information, as they often lack individualized access controls and encryption measures, potentially exposing data to unauthorized access or breaches. 

Sharing passwords is not HIPAA compliant

The key issue revolves around employees sharing login information for a shared account, which is not allowed according to the HIPAA Security Rule. Under this rule, regardless of their size, covered entities are mandated to allocate a unique name or number to each individual or entity with authorized access (defined as a "user" in § 164.304). 

This unique identifier is necessary for tracking and identifying user activity within systems containing electronic protected health information (ePHI), ensuring that system access and actions can be traced back to specific users. This requirement applies to all workforce members within healthcare provider offices, health plans, group health plans, and healthcare clearinghouses.

See also: Shared email accounts and HIPAA compliance

The risks posed by shared mailboxes

1. Unencrypted emails: Shared inboxes may lack email encryption, exposing sensitive information to potential unauthorized access or interception.
2. Excessive access: Multiple users having access to shared inboxes can make it challenging to monitor and control who views sensitive information, especially in regulated industries.
3. Data retention and deletion: Even if an email is deleted from the organization's mailbox, copies may still exist in the recipient's mailbox or on email servers, potentially exposing sensitive data to unauthorized access or compromise.
4. HIPAA non-compliance: In healthcare settings, sharing login information for shared email accounts violates HIPAA's requirement for unique user identification and access tracking, posing compliance risks.
5. Security breaches: Shared inboxes are vulnerable and, if compromised, can lead to unauthorized access, data leaks, or breaches of confidential information.
6. Lack of audit trail: Without proper user identification and access tracking, it becomes challenging to maintain a reliable audit trail, making it difficult to identify and investigate security incidents or policy violations.

How to mitigate this risk

1. Control access: Limit the number of individuals who have access to shared email accounts. Assign specific roles and permissions to users based on their job responsibilities, ensuring that only authorized personnel can access sensitive information.
2. Individual user identification: Ensure each user has a unique identifier for accessing shared email accounts. Avoid sharing login credentials, as this violates security and compliance standards, particularly in regulated industries like healthcare.
3. Implement data retention policies: Develop and enforce policies that specify how long emails and attachments are stored in shared email accounts. Regularly review and delete emails that are no longer needed to reduce the risk of data exposure.
4. Audit trails and monitoring: Maintain detailed audit logs to track user activities within shared email accounts. Regularly review these logs to identify suspicious or unauthorized access and take appropriate action.
5. Security awareness training: Provide security training to all users with access to shared email accounts, emphasizing best practices for handling sensitive information, recognizing phishing attempts, and adhering to data security policies.
6. HIPAA compliant email service: Consider using a HIPAA compliant email service specifically designed to meet the security and privacy requirements outlined in the HIPAA regulations. These services often provide robust encryption, access controls, audit trails, and data protection features tailored to healthcare organizations handling sensitive patient information. 

How to send HIPAA compliant emails

To send HIPAA compliant emails and ensure patients' health information is secure and protected during communication. 

1. Secure patient information in transit and at rest: To ensure HIPAA compliance when sending email, use secure email solutions that encrypt messages and attachments in transit and at rest.
2. Enter into a Business associate agreement: Even if your emails are encrypted, you still need a signed BAA with your email service to comply with HIPAA regulations.
3. Set up policies and procedures: An internal policy for HIPAA compliant email ensures all employees know their responsibilities regarding handling and transmitting PHI electronically.
4. Train your staff on secure email best practices: In addition to having policies around HIPAA compliant email, healthcare organizations should train employees on these policies and procedures. 

See also: What are HIPAA's email archiving and retention requirements