Departments like human resources, finance, legal, and administration may not routinely process PHI but often handle sensitive information that, if compromised, can have serious repercussions. HIPAA compliant email systems provide a secure communication channel that avoids risks associated with data breaches, unauthorized access, and inadvertent disclosure of sensitive information.
According to StatPearls ‘Health Insurance Portability and Accountability Act (HIPAA) Compliance’ which notes the intricacies of HIPAA and related legislation, “To improve compliance, healthcare teams must adopt a multifaceted approach. Physicians, advanced practitioners, nurses, pharmacists, and support staff need robust training in HIPAA principles, including secure data transmission, mobile device protocols, and breach prevention.”
Human resources departments may handle employee health benefits, disability claims, or workers’ compensation information, which, although not PHI per se, are sensitive and protected under other privacy laws and organizational policies. Finance departments may process billing information or contracts that indirectly reference patient data or sensitive financial information.
HIPAA’s rules that apply to emails
HIPAA’s rules apply to email by requiring secure transmission and storage of PHI. The Security Rule specifically requires covered entities and their business associates to implement technical protections to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). Email, as a common mode of communication, falls under these requirements when PHI is involved.
The Biomedical Informatics Insights study ‘HIPAA, HIPAA, Hooray?’ notes on the topic of HIPAA and email security, “Secure email messaging is a critical component of HIPAA, specifically the electronic Protected Health Information (ePHI). Messaging protocols like the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) and the Portable Document Format (PDF), which is now an ISO standard, are components that are readily available for integration into email and other electronic messaging applications.”
The Privacy Rule also requires that, with any disclosures of PHI via email, patients are informed of the risks of unencrypted email communications. The Security Rule’s encryption requirement effectively mandates that covered entities use secure email methods whenever PHI is transmitted electronically to comply with HIPAA.
PHI isn’t the only type of sensitive data
Departments that don’t handle PHI directly often manage other forms of confidential information that, if exposed, could cause harm to individuals or the organization. These include employee personal data, financial records, legal documents, proprietary business information, and social and behavioral determinants of health (SBDH) data that may be included in electronic health records (EHRs) or related systems.
According to a chapter from Capturing Social and Behavioral Domains and Measures in Electronic Health Records: Phase 2 looking at other forms of data held by healthcare organizations, “Notwithstanding the ability under law to collect, use, and share SBDH information for treatment purposes, eligible professionals and hospitals may still want to take additional steps—above and beyond what the law requires—to provide assurances to patients.”
Social and behavioral data carry privacy concerns similar to PHI because they can reveal sensitive information about individuals’ lifestyles, behaviors, and social circumstances. Employee health information managed by human resources, like disability claims or wellness program data, is protected under laws like the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA), requiring confidentiality and secure handling.
Financial and contractual data held by billing, legal, and administrative departments may contain sensitive identifiers or indirectly reference patient information, making it a target for cyberattacks or insider threats. The exposure of such data can lead to identity theft, fraud, or legal liabilities.
How platforms like Paubox can be used in non-clinical departments
According to Elena Yau, a part of Paubox’s expert network, “I believe that the lowest hanging fruit to enhance cybersecurity globally is email since that is a common denominator across all organizations. As a community effort, I recommend that all organizations review their SPF, DKIM and DMARC and set up policies like Paubox’s ExecProtect to prevent spoofing authorities in their organization that deals with personnel records, financials, internal operations and has authorities for approval. If you wonder why your CEO, new account, new HR person is spoofed, look at your SPF, DKIM and DMARC. “
Platforms like Paubox provide HIPAA compliant email services that automatically encrypt emails and attachments without requiring recipients to use portals or special logins, streamlining secure communication. While Paubox is widely recognized for securing clinical communications involving PHI, its features are equally valuable in non-clinical departments.
Non-clinical departments can use Paubox to securely transmit sensitive employee information, financial documents, contracts, and other confidential data. Departments like HR can send benefits enrollment forms or disability documentation safely, while finance can securely share billing and insurance claims data with external vendors or insurers.
The practical applications
Large healthcare systems like Banner Health, which experienced a ransomware attack in 2016, affecting millions of individuals. The subsequent investigation revealed that inadequate risk assessments and insufficient monitoring tools contributed to the breach. This case shows the need for adopting HIPAA compliant email solutions and conducting regular risk analyses and implementing proactive incident response plans to detect and avoif unauthorized access promptly. Organizations that integrate HIPAA compliant email with comprehensive cybersecurity strategies can better prevent breaches and limit their impact.
The Department of Veterans Affairs and other federal agencies have successfully used HIPAA compliant email platforms to secure communications across both clinical and non-clinical departments. These platforms allow for secure collaboration with external partners, vendors, and insurers, reducing third-party vulnerabilities that have been implicated in major breaches such as the Change Healthcare ransomware attack, which exposed sensitive data of millions and resulted in a $22 million ransom payment. The ability of HIPAA compliant email services to provide encryption by default, enforce business associate agreements, and maintain audit trails is helpful in protecting data.
Related: Which federal agencies must use HIPAA compliant email?
FAQs
Which federal agencies must use HIPAA compliant email?
Any federal agency that handles protected health information (PHI) must use HIPAA compliant email to meet federal regulations and avoid penalties.
What are the main technical requirements for HIPAA compliant email?
HIPAA compliant email must implement encryption (such as TLS 1.2 or 1.3), access controls, audit logs, and secure transmission to protect PHI.
Is a BAA necessary for federal agencies using email services?
Yes, federal agencies must have BAAs with email service providers to ensure HIPAA compliance and shared responsibility for safeguarding PHI.
Can federal agencies send PHI via unencrypted email?
No, emails containing PHI must be encrypted to comply with HIPAA’s Security Rule and protect patient information during transmission.
What role does user training play in HIPAA compliant email use in federal agencies?
Regular training on HIPAA regulations and secure email practices is necessary to prevent accidental disclosures and maintain compliance across all departments.
Kirsten Peremore
