HIPAA Compliant Email: The Definitive Guide [2023 update]
HIPAA compliance and email is a critical issue for healthcare. This guide answers all your questions to HIPAA compliant email to get you up and running quickly.
HIPAA Compliant Email: The Definitive Guide is your resource to give you a clear understanding of HIPAA, how to encrypt and secure email so it’s HIPAA compliant, and a concise but complete understanding of how HIPAA regulations impact healthcare email.
- What you need to know about HIPAA compliance for email
- Is it a HIPAA violation to email patient names?
- Does HIPAA allow healthcare providers to email patients?
- How to safely email patients.
- HIPAA email rules for compliance.
- How to secure your healthcare email today for peace of mind.
Table of contents
- What is HIPAA?
- HIPAA compliance and email
- The easiest way to send HIPAA compliant email
- Quick guide to HIPAA regulations and rules you need to know
- 2023 update to HIPAA email and compliance
- HIPAA violations, breaches and fines FAQ
- Answers to your top HIPAA compliant email questions
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) set the standard for protecting sensitive patient data. As a result, email HIPAA compliance can be a confusing topic. But this definitive guide is your source to clarify key requirements and outline the important steps to leverage HIPAA compliant email.
HIPAA compliance and email
Is it a HIPAA violation to email patient names and PHI?
Any organization dealing with protected health information (PHI) must follow all the physical, network and process security measures required by HIPAA. HIPAA compliant email falls into this scope.
Covered entities and BAAs
Organizations subject to HIPAA include covered entities (any company that provides treatment, payment or healthcare operations) and business associates (any company with access to PHI that provides support for covered entities). Even subcontractors (i.e., business associates of business associates) must comply. So if you happen to fall into any of these categories, you must ensure that the email you send is secured and HIPAA compliant.
HIPAA encryption requirements are specified by two main terms—required and addressable.
Required encryption must take place when sending electronic protected health information (ePHI) per the HIPAA Privacy Rule and the HIPAA Security Rule.
How do I make my email HIPAA compliant and secure?
Follow these technical and procedural steps for HIPAA compliant email. Because sending PHI through email can be done easily as long as you follow the right steps. What’s more, connecting with patients through easily accessed email is well worth it for patient well-being, staff work satisfaction and your bottom line.
It’s no secret that healthcare providers are busy. But you can easily have HIPAA compliant and secure email with Paubox without spending precious time installing or deciding what to encrypt or what not to encrypt. At the same time, implementation is simple and quick, and all emails secured by Paubox email solutions are HIPAA compliant. In fact, more than 4,000 healthcare members use Paubox every day for peace of mind to secure nearly 70,000,000 emails each month.
To learn more about HIPAA compliance and email, keep reading.
4 HIPAA compliant email technical steps
- Any email sitting on your server (like your inbox) is considered “at rest” and must be secured.
- Whenever you send an email, it moves from one server to another; it is considered “in transit.” Therefore, it must be secured every step of the way until it reaches the recipient’s inbox. This process is typically handled with email encryption. Another key point is that once an email is delivered securely to a recipient’s inbox, you are no longer responsible for it under HIPAA regulations.
- If your email provider secures email with Transport Layer Security (TLS) encryption, this does not mean your message will be delivered securely. Messages downgrade and arrive unencrypted in clear text if a recipient’s email provider doesn’t support TLS. So make sure you are using a solution that addresses this. Paubox solutions ensure 100% of emails are secured regardless of having or not having TLS.
- If you use a third-party email provider, like Google Workspace, Microsoft 365 or Microsoft Exchange. In that case, you must get a business associate agreement (BAA) to protect PHI from cybercriminals or negligent employees. A BAA outlines vendor responsibilities and duties when they handle PHI.
3 HIPAA compliant procedural steps
- Ensure all employees are appropriately trained on HIPAA compliance and leverage the right technology to overcome human error, such as forgetting to press a button or typing a password to encrypt an email when sending PHI. Human error accounts for the vast majority of email-related HIPAA violations. Because of this, Paubox email solutions eliminate doctor or patient errors related to sending an email that is not secured. You can take advantage of a no-risk trial here.
- HIPAA requires reasonable safeguards for PHI, like encryption. If you choose not to use a third-party email encryption service, you will need to take the time to audit your organization with this assessment.
- Limit access to PHI to only staff members who need it to do their jobs.
The easiest way to send HIPAA compliant email
The easiest way to send email in compliance with HIPAA is seamless encryption. It gives providers the expected benefit—HIPAA compliant email—without asking senders or recipients to change their behavior. Secure all email sent from your server without the need for additional security steps for you or your email recipients and remain HIPAA compliant.
Seamless email workflow for your staff
It is a stressful and time-burning burden for staff to decide if an email needs encryption. But encrypting email by default eliminates the risk and stress of accidentally sending unencrypted PHI over email.
Because for a distracted or busy employee, hitting the send button without noticing that an email contains ePHI is far too easy and makes for a very costly mistake.
Seamless and secure email connections with your patients
Find a solution that allows you to write and send HIPAA compliant emails as usual from a laptop, desktop or mobile device without needing to enter passwords, download an app or log into a portal.
The reality is, having portals and passcodes is a security “check in the block.” Email’s purpose is to communicate. But if you make your patients log in, the odds are you will not be communicating with them. In fact, only 1/3 of people with access to portals use them, but over 90% of U.S. adults regularly use email.
Seamless and secure integration into your existing email provider
Fortunately, Paubox integrates with Google Workspace, Microsoft 365 and other commercial email providers. So, conveniently, you don’t have to change your email address.
Seamless HIPAA compliant email and a more secure inbox
What’s more, our Plus and Premium subscriptions add robust spam, virus, ransomware and phishing protection. Unfortunately, phishing scams are still the most common way email gets hacked and continue to lead to HIPAA violations.
Finally, Paubox provides a BAA to all members. In addition, no minimum number of staff members or providers is required.
Quick guide to HIPAA regulations and rules you need to know
HIPAA compliant email and the HIPAA Enforcement Rule
The U.S. Department of Health and Human Services (HHS) created HIPAA to improve healthcare standards and combat PHI fraud and abuse. Additionally, the Office for Civil Rights (OCR) regulates and enforces the act, which consists of the following sections (or titles). Most referenced is Title II, as it sets the policies and procedures for safeguarding PHI, whether in paper or electronic (ePHI) form.
6 rules of HIPAA you need to know
- Privacy Rule (2003): covers the protection of PHI as well as compliance standards
- Security Rule (2005): sets required security standards to protect ePHI
- Enforcement Rule (2006): provides a general guide for compliance, investigation and penalties for violations
- HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
- Breach Notification Rule (2009): sets the procedures for reporting breaches
- Final Omnibus Rule (2013): incorporates HITECH further by improving privacy protections
Does the HIPAA Privacy Rule permit healthcare providers to use email to discuss health issues and treatment with their patients?
Yes. In 2000, the HIPAA Privacy Rule created a set of national standards for safeguarding certain health information for the first time. Providers can communicate electronically with their patients under the Privacy Rule, provided they apply reasonable safeguards.
HIPAA does not mandate encryption
Although HIPAA does not mandate encryption, you must perform a risk assessment and determine that encryption is not needed to manage risks to PHI and then you can implement addressable encryption protocols. If you use addressable encryption protocols, you must document why you do not need encryption if that is what your organization decides. Then create a secure alternative for your ePHI.
Paubox recommends encryption for HIPAA compliant email
Not using email encryption is risky for your patients’ information and your organization. Encryption is the only option to securely protect PHI.
The HIPAA Privacy Rule allows covered entities to disclose PHI to a business associate. Nevertheless, business associates must assure covered entities that PHI remains within the scope of their engagement.
What is the HIPAA Security Rule?
The HIPAA Security Rule was added in 2003 to set out what safeguards must be in place to protect electronic PHI (ePHI), which is health information that is held or transferred in electronic form. Therefore, covered entities must take reasonable steps to protect ePHI in email while in transit to the recipient’s inbox.
HIPAA Compliant Email: The Definitive Guide [2023 update]
According to HHS, recently proposed updates intend to improve the consumer experience, increase consumer understanding, simplify the plan selection process, combat discriminatory benefits that disproportionately impact disadvantaged populations and advance health equity.
Here are the proposed 2023 updates to the HIPAA Privacy Rule
- Individuals will have the right to inspect their PHI in person, including taking notes or capturing images of medical records.
- Covered entities’ response time for medical record requests will be shortened to 15 calendar days. Also, there will be an option for an extension of no more than 15 calendar days.
- Responding to individuals’ requests for PHI will be clear and concise, including when business associates are involved.
- Whenever a PHI summary is offered instead of a copy, covered entities must notify individuals that they retain the right to obtain or direct copies of PHI to third parties.
- Individuals will be provided with access rights with a reduced burden of identity verification.
- By requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive back electronic copies of the individual’s PHI in an electronic health record (EHR), individuals will be able to direct the sharing of PHI in an EHR.
- Covered healthcare providers and health plans will be required to respond to certain requests for records sent to them by other covered healthcare providers or health plans according to their right of access.
- The individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR will be limited.
- The timelines for when ePHI must be provided free of charge to the individual will need specifying.
- The fee structures for responding to requests to direct records to third parties will be amended.
- Covered entities will be required to publish estimated fee schedules on their websites for access and disclosures with an individual’s valid authorization and provide individualized estimates of fees for individuals requesting copies of their personal health information, as well as itemized bills for completed requests upon request.
Source: Aris Medical Solutions
HIPAA compliant email 2023 update timelines
In order to achieve compliance with any new or modified standards, covered entities and their business associates have until the “compliance date” to establish and implement policies and practices. Additionally, HHS has previously stated that the 180-day general compliance period for new or modified standards will not apply if a different compliance period is provided in the regulation.
Why is HHS making HIPAA updates in 2023?
HHS requested answers to 54 questions from providers in 2019. Then in 2020, the department issued a Notice of Proposed Rulemaking describing several changes to the HIPAA Privacy Rule based on the responses received. Then, HHS requested comments on the proposed HIPAA changes once again in 2021. Finally, On January 5, 2022, the department released its Notice of Benefit and Payment Parameters for the 2023 Proposed Rule.
HIPAA violations are costly. Secure your emails to stay protected.
Certainly, HIPAA violations carry a high cost, and you can be penalized for noncompliance based on the degree of negligence. The current fines typically range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Although, according to Thompson Reuters, the penalties are adjusted to inflation and could be even higher.
What are the current penalties for HIPAA email violations?
HIPAA administrative simplification covers privacy, security, breach notification and electronic healthcare transactions. Presently, HIPAA violations are categorized into four tiers, with minimum and maximum penalty amounts within each tier, and multiple violations of an identical provision are capped annually. In accordance with HIPAA administrative simplification provisions, the following indexed penalties apply:
|Penalties for HIPAA Email Violations||From||To||Annual Cap|
|Tier 1: Could not have avoided with reasonable care||$127||$63,973||$1,919,173|
|Tier 2: HIPAA email violation despite reasonable care||$1,280||$63,973||$1,919,173|
|Tier 3: Willful neglect but corrected within a reasonable time||$12,794||$63,973||$1,919,173|
|Tier 4: Willful neglect and not corrected||$63,973||$1,919,173||$1,919,173|
What’s more, according to a report by IBM Security, healthcare data breaches cost $9.3 million on average in 2021 – a 29.5% increase over the $7.13 million average in 2020.
Undeniably, over the past 20 years, the OCR has enforced violations at a blistering pace.
HIPAA email breaches and violation stories
- The largest medical cyberattack in U.S. history? Don’t make the next headline.
- The OCR is struggling to keep up with ransomware cases. The threat against healthcare is no joke.
- Hackers are targeting healthcare more than ever, and the threat is increasing due to global unrest.
- Ransomware attacks are surging globally, including in the healthcare sector.
- Stolen laptops can result in huge fines. In several instances, a single stolen laptop costs a healthcare provider over $1,000,000.
- A stolen thumb drive averages a HIPAA fine of $925,000.
- Stolen office computers can be subject to fines too. Even a computer that never leaves your office can cost you money.
- Unpatched and unsupported software can also lead to fines.
- Accidental and non-malicious internal threats are increasing as well.
- The HIPAA Right of Access Initiative, launched in 2020, has led to significant fines for not providing patients the required “right of access” to their own health records.
HIPAA breaches and email security
In 2021, a major healthcare data breach affected 45.7 million patient records. This is the second-highest number of records reported breached since 2015. Health insurer Anthem suffered the largest healthcare data breach on record in 2015, affecting 77.8 million people.
Undoubtedly, email continues to be a primary threat vector for healthcare. In fact, 37% of all HIPAA breaches in 2020 occurred via email.
Answers to your top HIPAA compliant email questions
- Is my email provider HIPAA compliant?
- When does my obligation to secure PHI end?
- What is a business associate agreement, or BAA?
- Is there a HIPAA email provider certification?
- What is the gold standard for HIPAA compliance?
- The best HIPAA compliant email providers.
- Five top HIPAA compliance software tools for secure healthcare email.
1. Is my email provider HIPAA compliant?
These popular consumer email providers are not HIPAA compliant:
- Gmail: By far one of the most popular email providers in the world, Gmail – or Google Workspace – by itself is not HIPAA compliant. Google’s own data shows that only 90% of email sent with Gmail is delivered encrypted. For HIPAA compliance, 90% isn’t good enough. Only 100% encryption is acceptable. But you can make Gmail HIPAA compliant with a few extra steps.
- Yahoo: Another popular email provider, Yahoo is not compliant.
- GoDaddy: A lot of people use GoDaddy’s hosting service and subsequently use GoDaddy’s Microsoft 365 product, but not all Microsoft 365 email is created equal.
- HostGator: Another popular web hosting provider that offers email hosting and is not HIPAA compliant.
2. When does my obligation to secure PHI end?
Once the email reaches the recipient, the obligation of the sender ends, and it becomes the recipient’s job to secure any PHI they have in their inbox.
3. What is a business associate agreement, or BAA?
If you are using a third party to transmit or host ePHI, the company is legally required to sign a business associate agreement (BAA) with you. A BAA establishes that certain administrative, physical and technical safeguards are in place to protect patient data.
On the whole, it’s important to understand a crucial piece of HIPAA is that vendors providing HIPAA compliant email services to organizations must provide and sign a business associate agreement (BAA).
Therefore, covered entities or business associates entrusting PHI to a third party legally need a BAA.
4. Is there a HIPAA email provider certification?
Presently, there is no certification that makes an email provider HIPAA compliant. However, meeting the HIPAA Privacy and Security Rule requirements and ensuring strong technical security measures to protect ePHI are in place is the best place to start.
5. What is the gold standard for HIPAA compliance?
HITRUST-CSF certification is the closest thing there is to a formal HHS HIPAA certification.
Therefore, inspect vendors’ stances on safeguarding sensitive information and their ability to manage risk and check to ensure that their products are HITRUST-CSF certified. Sometimes using HITRUST-CSF certified technology and software can help with cyber liability insurance premiums.
Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.
In summary, HITRUST-CSF is the gold standard of security certifications in healthcare.
6. The best HIPAA compliant email providers
Perhaps the most difficult step is next—trying to sort through the noise and pick a HIPAA compliant email provider.
For that reason, here are some factors you want to consider:
- Is the service really HIPAA compliant?
- How easy is it to use?
- Does it integrate with your existing IT setup?
- Does it require new workflows?
- How is customer support?
- What are the hidden costs?
7. 5 top HIPAA compliance software tools for secure healthcare email
Above all, Paubox has taken security and compliance to the next level by achieving HITRUST-CSF certification for all our products:
- Paubox Email Suite for standard email
- Paubox Email Suite Plus with inbound security
- Paubox Email Premium with inbound security, email archiving and DLP
- Paubox Email API for transactional email
- Paubox Marketing for HIPAA compliant email marketing
HITRUST-CSF Certified patented technology
Overall, HITRUST-CSF certified status demonstrates that our solutions have met key regulatory and industry-defined requirements and are appropriately managing risk.
Notably, this achievement places Paubox in an elite group of organizations worldwide that have earned this certification. Certainly, by including federal and state regulations, standards and frameworks, and by incorporating a risk-based approach, the HITRUST-CSF certification helps organizations address compliance challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
Additional HIPAA email compliance resources
- Four steps to send HIPAA compliant email
- What happens when a Paubox email recipient doesn’t support encryption?
- How to send a secure HIPAA compliant email
- Why email is better than patient portals
- How Paubox can help with HIPAA Right of Access
- Best HIPAA compliant email providers
- HIPAA compliant email and the BAA
Paubox takes the stress out of HIPAA compliance and email
Paubox gives over 4,000 healthcare customers peace of mind by securing nearly 70,000,000 emails every month for providers and covered entities. Our technology is HITRUST-CSF certified and rated 4.9/5.0 on G2. Trust the industry experts and start using email in your practice easily, securely and in compliance with HIPAA regulations.
Looking for HIPPA compliant email in our HIPAA Compliant Email: The Definitive Guide [2023 update]?
People often confuse HIPAA email and HIPPA email. Therefore, it’s easy to Google HIPPA compliant email or HIPPA email. In short, Google is smart and knows the correct spelling while pointing you to the right pages by default. In a nutshell, “HIPPA compliant email” or “HIPPA email” are not correct. “HIPAA compliant email” or “HIPAA email” are the correct search terms.