What it means for an email to be HIPAA compliant

Over 14 million individuals had their data compromised in 210 breaches over recent years. To avoid this, an email system must encrypt messages to track access and modifications, restrict access to authorized users, and verify the identity of those users. All of this secures the data both in transit and at rest. 

The reality of email security in healthcare 

According to an analysis of breaches reported under HIPAA from 2010 to 2017 titled ‘Healthcare Data Breaches: Insights and Implications’, there were 2,163 total breaches exposing approximately 180.65 million records of protected health information (PHI). Among various breach locations, email consistently appears as a prominent medium through which PHI is compromised. Data showed that hundreds of breaches involving email, with 199 incidents reported in 2019 alone, making it one of the top sources of breaches alongside network servers and electronic medical records (EMRs).

The nature of email breaches often involves unauthorized access, interception, or misdelivery of sensitive information. Email communications in healthcare typically contain PHI such as patient names, diagnoses, treatment plans, and billing information, making them attractive targets for cybercriminals and susceptible to human error. 

A proportion of breaches result from unintentional human factors, such as sending emails to incorrect recipients or failing to encrypt messages properly. In fact, according to Perspectives in Health Information Management study ‘Human Factors in Electronic Health Records Cybersecurity Breach’ 73.1% of records affected by breaches stemmed from unintentional errors.

Are there consequences for noncompliance 

Financially, healthcare organizations face substantial civil monetary penalties that can range from $100 to $50,000 per violation, with annual maximums reaching $1.5 million depending on the level of negligence. These penalties escalate if the breach results from willful neglect or repeated violations. OCR enforcement actions have imposed multi-million-dollar fines on entities that failed to encrypt emails containing PHI or neglected to implement adequate access controls.

The practical steps to making an email HIPAA compliant 

• Emails containing PHI must be encrypted both in transit and at rest to prevent unauthorized access. Transport Layer Security (TLS) is commonly used to secure emails during transmission, while additional encryption methods such as Secure/Multipurpose Internet Mail Extensions (S/MIME) or end-to-end encryption ensure that only intended recipients can decrypt the message content. Encryption should extend to email servers and backups to protect stored PHI. (Healthcare (Basel). 2020 May 13;8(2):133)
• Organizations must develop and enforce policies and procedures governing email use. This includes training staff on the risks of unsecure email, proper handling of PHI, and recognizing phishing or social engineering attempts. Employees should be instructed never to send PHI via unencrypted email and to verify recipient addresses before sending sensitive information. (Perspect Health Inf Manag. 2022 Mar 15;19(2):1i.)
• Obtaining patient consent and providing clear communication about the risks of email is important. HIPAA permits patients to receive PHI via email if they are informed of the risks and provide authorization. Documenting this consent protects the provider and respects patient autonomy. (Influence of the HIPAA Privacy Rule on Health Research. JAMA. 2007;298(18):2164–2170. doi:10.1001)
  
  

The impact of the updated security rule

The HHS factsheet on the topic provides, “OCR administers and enforces the Security Rule, which establishes national standards for the protection of individuals’ ePHI by covered entities (health plans, health care clearinghouses, and most health care providers), and their business associates (together, regulated entities). Today’s proposed rule seeks to strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.”

The Notice of Proposed Rulemaking HIPAA Security Rule goes about strengthening the protection of electronic protected health information (ePHI), with direct implications for email security. While the core principles of confidentiality, integrity, and availability remain unchanged, the update provides more rigorous risk management and expanded technical safeguards.

The update mandates the use of stronger encryption protocols for all electronic communications containing PHI, including email. This means healthcare organizations must adopt encryption technologies like advanced TLS versions to ensure that email transmissions are resilient against emerging cyber threats. The update also requires encryption of stored emails and backups, closing previous gaps where data at rest might have been less protected.

Why do emails need to be HIPAA compliant?

A collaborative study, ‘What is a Secure Email?’ that dove into what makes an email secure noted that, “Traditional user agents typically hide that state and merely report a working or failing connection to the mail transfer agent.” Email communications between healthcare providers and patients must be HIPAA compliant to prevent accidental exposure. 

The Privacy Rule recognizes email as a valid form of communication but requires healthcare providers to implement reasonable protections. This includes steps like verifying email addresses for accuracy and possibly confirming them with patients before sending sensitive data. While the rule allows for the use of unencrypted email for discussing treatment, it advises minimizing the information shared to safeguard privacy.

See also: Should business associates use HIPAA compliant email?

The use of HIPAA compliant email solutions

Email solutions are an effective way to achieve HIPAA compliant email communication. Paubox stands out as a highly useful HIPAA-compliant email solution primarily because it simplifies the complex requirements of HIPAA compliance while integrating seamlessly into existing email workflows. One of the main challenges healthcare organizations face is balancing stringent security mandates with ease of use, and Paubox addresses this by automatically encrypting all outbound emails without requiring additional steps from users. By integrating directly with popular email platforms such as Google Workspace and Microsoft 365, Paubox allows users to continue sending emails from their familiar interfaces, maintaining productivity and minimizing disruption to daily operations.

See also: HIPAA compliance for email in 3 easy steps

FAQs

Can any email provider be used for sending PHI?

Standard email providers often lack necessary security features such as encryption and audit controls. Therefore, only HIPAA-compliant email services that offer encryption, access controls, and a signed BAA should be used.

How can an organization ensure its emails are HIPAA compliant?

Organizations can ensure compliance by implementing encryption, using a HIPAA-compliant email service with a BAA, training staff on secure email practices, obtaining patient consent for email communication, and maintaining audit logs and conducting regular risk assessments.

What are the consequences of sending PHI via unsecure email?

Sending PHI through unsecure email can lead to unauthorized disclosure, resulting in HIPAA violations, financial penalties, corrective action plans, and damage to patient trust.

Is patient consent required before sending PHI via email?

Yes. HIPAA requires covered entities to inform patients about the risks of email communication and obtain their consent before sending PHI electronically.

Is it advisable to include PHI in the subject line of an email?

It is best practice to avoid including PHI in the email subject line because many email systems do not encrypt subject lines, potentially exposing sensitive information.

How long must emails containing PHI be retained?

HIPAA requires retention of medical records, including emails containing PHI, for at least six years from the date of creation or when they were last in effect.