How to send a secure HIPAA compliant email

Featured image

Share this article

Hands working at an open laptop while wearing a dark polo shirt, text and symbols float above keyboard showing a secure login processDo you know the rules for sending secure email with PHI?

How to send a secure HIPAA compliant email

Email is convenient, especially in healthcare environments. However, keeping email secure poses challenges. Learn how to send a secure, HIPAA compliant email with this quick guide.

The other option is to use patient portals. While they can be secure, they provide an inadequate patient experience and result in more work for providers. As a matter of fact, 90% of providers provide portals, but only one-third of patients use them.

For physicians, the low uptake of the portal is a reality: 

Let’s put it this way, I saw a patient with a resident earlier last week, and he said that they have an active portal account, and I was surprised. That’s how infrequently I see people that have it.” An administrator in a different county described her experience with a prior attempt to launch a patient portal: “even with our effort, there was nobody who used it after we had about 100 sign up.
-Quote from “Primary Care Providers’ Views of Patient Portals: Interview Study of Perceived Benefits and Consequences” in the Journal of Medical Internet Research

What does HHS say about sending HIPAA compliant email?

The HIPAA Security Rule does not prohibit sending ePHI by email. United States Department of Health and Human Services (HHS) states that you can send electronic protected health information (ePHI) via email, but you must do so securely. Covered entities must implement policies and procedures to restrict access, safeguard the integrity, and guard against unauthorized access to ePHI according to HIPAA standards for access control, integrity, and transmission security.

Understanding the challenge of HIPAA email security

There are a few links on an email chain to secure. An email is written on the sender’s email server and then sent to the recipient’s server. The email data is “at rest” when it’s on the email servers and “in transit” as it’s passing from one server to the other. 

When an email is sent from one machine to another, it travels via the internet. And, as it travels, it is susceptible to cybercriminals trying to steal information. 

How is email sent securely?

ePHI must remain secure at rest and in transit per HIPAA. To protect ePHI in an email, ensure your email provider supports encryption and is protected with user accounts and passwords.  You must encrypt emails sent over non-secure networks such as the internet. Security concerns prevent some health care professionals from using certain email systems.

It is important to distinguish between an email platform that is HIPAA compliant and one that is HIPAA capable. Even though most popular email providers offer email encryption, they often are not HIPAA compliant. Many are capable, but they are not compliant until you enable certain features on the platform and you sign a business associate agreement (BAA) with the company. 

Google and Microsoft HIPAA compliance and security

Take Gmail, for example; 87% of sent emails are encrypted, but HIPAA requires 100% encryption for emails containing ePHI. Thirteen percent unencrypted email is unacceptable. It is too big of an opening for hackers to access patient emails while in transit. Although Google and Microsoft are HIPAA capable, it’s best to use an additional encryption program that guarantees encryption on 100% of the emails you send.

Are third-party email security providers HIPAA compliant and secure?

The safest and least cumbersome option is for covered entities to work with a third-party HIPAA compliant email provider to ensure that all HIPAA email has end-to-end encryption. End-to-end encryption guarantees that only the sender and recipient read the email, keeping the ePHI private as it travels between inboxes.

Third-party email security providers must sign a BAA with you. It is the covered entity’s responsibility to ensure the business associate does its part under HIPAA Omnibus rules. Both parties can be liable for fines if found in violation of HIPAA. The BAA typically only covers the business associate’s server, while the covered entity is responsible for the ePHI at rest on its server and while the email is in transit. 

Email encryption and security

HIPAA encryption requirements are specified by two main terms, “required” and “addressable.”

Those labeled “required” must be put in place or it’s considered a failure to comply with HIPAA. Those that are called “addressable” only have to be implemented after a risk assessment has determined that encryption is needed for managing risks to PHI.

If your organization determines that email encryption is not appropriate, then you must document your reasoning behind that decision and implement an equivalent solution to safeguard PHI.

However, since there is no appropriate alternative for protecting PHI other than encryption, it’s effectively required. Not using encryption is risky for your patient’s information and your organization.

Does the recipient’s email client need to be secure?

As a healthcare provider, it is difficult to control whether your patients use secure email clients. Below is the regulation on patient email clients.

US Department of Health and Human Services, Omnibus Final Rule, 2013

“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.” 

As long as you use a secure email service, you are not responsible for what happens on the other side as long as you are following HIPAA regulations. Here are a few things to keep in mind:

  • A secure, alternative method must be available for the patient to receive the information.
  • Advise patients that their email clients might not be secure. If they say they still want the information, it’s okay to send it. You can also use a HIPAA compliant email provider that guarantees all HIPAA emails you send will be compliant, even if the patient doesn’t support encryption.
  • Be sure to document these conversations for your own safety. 

How to secure different types of HIPAA compliant emails

Internal email security with PHI

Emails in a closed and secure network don’t require encryption. However, if you use remote workers, they must follow typical encryption rules. A third-party vendor to secure remote staff’s HIPAA email is required. Solutions that secure all email sent are advisable as it removes the chance of accidentally sending PHI.

Provider-to-provider email security with PHI

There is no need to encrypt email sent in your closed email network. However, if providers contact other providers outside of your organization, they must follow typical HIPAA  encryption rules. Therefore, solutions that secure all email sent are advisable as it removes the chance of accidentally sending unencrypted PHI.

Personal email security when sent from work

Occasionally, providers work at home and need to send case information and PHI back to their work email. HIPAA email sent from a personal email account to a work account can be a HIPAA violation unless the provider uses a HIPAA compliant email service.  

Security of mass emails using BCC

Using BCC to send mass emails is never a good idea. HIPAA compliant options are available to send secure email to individual inboxes. Currently, this is the only option to send a secure bulk email or marketing-type email. However, choose your mass email provider wisely. Most email marketing platforms are not HIPAA compliant or secure. As a matter of fact, the popular MailChimp announced a devastating data breach in April.

Securing reply emails

According to HIPAA, the party initiating the transmission is liable for its security. If the sender is not a covered entity or business associate, they cannot violate HIPAA. However, replying covered entities or business associates are responsible for protecting PHI. Once you reply, you are again responsible for the security of the transmission.

Secure patient emails

What safeguards do you use to protect patient emails? The best practice is to ensure your patients’ email security by using a third-party email security provider that keeps PHI HIPAA compliant

How to send a secure HIPAA compliant email

Secure cloud-based email servers

One option is to use a secure cloud-based email platform with a HIPAA compliant server. When you connect via HTTPS, you have an encrypted connection. You must sign a BAA with the provider before you send HIPAA email.

Password email security and 2-factor authentication

Secure your email account with a strong password or passphrase, and enable multi-factor authentication if available. 

Secure and encrypted email services

Email services that encrypt healthcare email make sure you remain HIPAA compliant. If the recipient has an email provider that does not support encryption, the email will not be delivered in plain text.  Instead, they will be notified about the the message and they can then connect securely to the server to view the message. For patients whose email clients do support encryption, they will receive the HIPAA email directly in the inbox. Using a provider to ensure HIPAA email stays secure and encrypted makes information more accessible for patients and creates better outcomes and experiences. 

Secure message portals 

EMR/EHR systems with a patient portal can store information. The recipient is notified of a message on the portal via email, where they can log in and securely view it. However, portals are not popular with patients. Only a third of people with access to portals use them. Portals negatively impact patient outcomes, patient satisfaction, and provider workload by creating a challenging communication flow.

Email disclaimers

A disclaimer or confidentiality notice is not a license to send PHI-filled, unencrypted HIPAA emails.  You must keep in mind that disclaimers will not relieve you of your responsibility to send ePHI securely.

Would you like more information on secure HIPAA compliant email?

Contact the experts at Paubox to help with your secure HIPAA compliant email needs. Paubox solutions put the power and ease of email back into that hands of healthcare for better patient and provider experiences.

HITRUST CSF certified
4.9/5.0 on the G2 Grid
Paubox sends millions of HIPAA certified and secure emails every month.

Try Paubox Email Suite Plus for FREE today.

Try Paubox Email Suite Plus for FREE today.
Author Photo

About the author

Anne-Marie Sullivan

Read more by Anne-Marie Sullivan

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022