Is an email administrator necessary in healthcare organizations?

The popularity of email amongst healthcare workers is supported in the JMIR Medical Education study ‘Email Use Reconsidered in Health Professions Education’, “Email was found to facilitate communication between inpatient and outpatient settings and was identified as the preferred method of communication among primary care providers.” 

Given the high volume of emails exchanged daily, an email administrator is a way to ensure efficient inbox management, prioritization, and compliance with regulations like HIPAA. This helps prevent communication breakdowns that could compromise patient care, maintain confidentiality, and support legal compliance by safeguarding electronic health information. 

Effective email management under the guidance of an administrator enhances collaboration across departments and reduces the risks of miscommunication or data breaches. This is reflected in the above-mentioned study, “The presence of guidelines for email use can have an impact on the professional and ethical behaviors…Guidelines must be accessible and embedded into the curriculum to ensure both awareness and understanding by faculty and students of the professional and ethical behaviors necessary when using email communication.”

What does an email administrator do in healthcare?

A Medical Decision Making Policy & Practice study on healthcare administration notes, “Interoperable infrastructure and data standardization across multiple health systems would help provide more reliable and timely information for decision making.”

Email administrators in healthcare organizations are primarily responsible for managing and maintaining secure, reliable, and compliant email systems. This facilitates communication among healthcare professionals, administrators, and patients in a way that supports clinical and administrative workflows.

Healthcare email administrators oversee the technical and policy aspects of email systems. Their responsibilities include managing user accounts, resetting passwords, setting up shared mailboxes, and authorizing distribution lists. These tasks ensure that healthcare staff have uninterrupted access to email communication channels for timely decision-making and coordination. 

They also enforce compliance with strict policies regarding the appropriate use of email. It includes virus scanning, encryption of confidential patient data when sent outside secure domains, and adherence to professional communication standards to avoid misuse or breaches of confidentiality.

Are email administrators necessary even with the use of HIPAA compliant email platform like Paubox?

HIPAA compliant email platforms like Paubox reduce, and in some cases may render unnecessary, the need for a dedicated email administrator role traditionally responsible for overseeing email security and compliance in healthcare organizations.  Paubox offers automated self-audits and compliance reporting, which continuously assess the organization’s adherence to HIPAA standards and provide actionable insights to compliance officers without the need for manual audits or oversight by a dedicated administrator. 

This automation ensures that compliance is maintained proactively, reducing the risk of breaches and regulatory penalties. The platform’s integration with major email services and CRM systems further eases management by centralizing email security controls, allowing IT and compliance teams to oversee email activity through dashboards and analytics rather than direct administrative intervention.

Paubox also supports business associate agreements (BAAs). This contractual compliance shifts some responsibility away from internal email administrators. Given these capabilities, the traditional role of an email administrator, who manually configure encryption settings, monitor email traffic for compliance, manage user access, enforce policies, and conduct audits. Instead, oversight responsibilities typically shift to broader IT security teams, compliance officers, or privacy officers who leverage the automated tools and reports provided by platforms like Paubox to monitor organizational compliance at a higher level.

See also: What is the role of HIPAA compliant email services in protecting patient privacy?

Internal v external email administrator

A JYX study on internal vs external hiring offers the following general perspective, “Firms have a preference for internal promotion, as opposed to external recruitment…That preference is strongest at the top of the job hierarchy.”

When choosing between an internal and an external email administrator, organizations weigh distinct advantages. An internal administrator, already familiar with the company's culture and systems, can integrate seamlessly into the role, understanding the specific challenges and needs of the organization. They can leverage their existing relationships and knowledge of internal processes for a more efficient approach to managing the email system. 

On the other hand, an external administrator brings fresh perspectives and potentially broader experience in email management, especially if they have worked in diverse environments. They may introduce new practices and technologies that an internal hire might not be aware of, enhancing the organization's email security and efficiency. The options for external administrators include: 

• Managed IT services
• Specialized email administration companies
• Cloud-based email services
• Freelance email administrators
• Consultancy firms
• Software solutions

See also: How to send HIPAA compliant emails

Privacy and security officers 

An Online Research Journal Perspectives in Health Information Management study on the topic of privacy officers provides, “Federal legislation mandated that all covered entities are required to have a designated privacy official to develop and implement the organization’s privacy and security policies and procedures (P&P)...The industry has identified this role as a privacy officer. If a privacy breach occurs, privacy officers make critical choices about reporting that may have lasting impacts on the healthcare organizations in which they work and on the patients that are served by the organization.” Acting as email administrators, they ensure that all electronic communications comply with HIPAA’s Privacy and Security Rules by enforcing technical safeguards like encryption, access controls, and audit trails.

One of the main responsibilities is managing the use of encryption, ensuring that emails containing PHI are encrypted both in transit and at rest. Privacy and security officers collaborate closely with IT teams to select and configure HIPAA compliant email solutions that automatically encrypt messages, reducing the risk of human error. 

Another task is managing user access. These officers establish and enforce policies that restrict email access to authorized personnel only, aligning with HIPAA’s requirement for strict access controls. They monitor account activity, handle permissions, and ensure that when employees change roles or leave the organization, their email access is promptly adjusted or revoked. This reduces the risk of unauthorized access to sensitive information.

FAQs

What is a BAA?

A BAA is a legal contract between a healthcare provider and an email service provider (or any third-party vendor) that handles PHI. It ensures the vendor complies with HIPAA regulations and is responsible for protecting patient data. Without a BAA, using a service provider for PHI transmission is not HIPAA compliant.

Are emails containing PHI required to be encrypted under HIPAA?

While HIPAA does not explicitly mandate encryption, it requires that if encryption is not used, an equivalent alternative safeguard must protect the PHI. Encryption is generally the most effective and widely accepted method to secure email communications containing PHI.

Can patients communicate with healthcare providers via email?

Yes, but healthcare providers must ensure that emails containing PHI are sent securely, typically via encrypted email or secure patient portals. Providers should obtain patient consent and educate patients about the risks and safe use of email communication.

Can healthcare providers send PHI via regular email?

No. Sending PHI via unencrypted regular email is risky and generally non-compliant. Emails containing PHI must be sent through HIPAA-compliant platforms that provide automatic encryption and secure transmission. If encryption is not possible, alternative safeguards must be used to protect the information.