Ensure your email is HIPAA Compliant
Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. Access controls to email accounts are required, as it is important to ensure that only authorized individuals can access email accounts that contain ePHI.
There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant and incorporate all of the necessary safeguards to meet the requirements of the HIPAA Privacy and Security Rules. To make your email HIPAA compliant there are several things to consider:
BAA (business associate agreement) HIPAA-compliant agreement
If you use a third-party email provider, you should obtain a BAA (business associate agreement) prior to using the service for sending ePHI. The BAA outlines the responsibilities of the service provider and establishes that administrative, physical, and technical safeguards will be used to ensure the confidentiality, integrity and availability of ePHI.
Even when a BAA is obtained, there are still risks associated with email and it is possible to fail to configure the email service correctly and violate HIPAA Rules. Simply using an email service that is covered by a BAA does not make your email HIPAA compliant.
Google’s G Suite includes email and is covered by its BAA. Through G Suite, email can be made HIPAA compliant provided the service is used with a business domain. Even if you want to use G Suite, care must be taken configuring the service to ensure end-to-end encryption is in place.
Email isn’t a secure method of communication. Even services that encrypt messages in transit may not have the required level of security to make them HIPAA compliant. Access controls are used to ensure only the intended recipient and the sender can access the messages.
Some email service providers require individual emails to be encrypted by clicking a button or using a portal. Since it is easy to forget to turn on encryption and accidentally send an unencrypted email, it is a better choice to encrypt all emails, not only those that contain ePHI. This will reduce the potential for human error. AES 128, 192, or 256-bit encryption is recommended.
For many HIPAA-covered entities, especially smaller healthcare providers that do not have in-house IT staff to ensure their email is HIPAA-compliant, the use of a third-party HIPAA compliant email service provider is strongly recommended.
In order for email to be fully encrypted, the patient would need to use an email service that supports HIPAA-level encryption. The Privacy Rule recognizes this, and grants the individual access to ePHI in the format that they wish to receive it, i.e. unencrypted email. The issue of encryption is becoming less and less of a concern as email services such as Google and Microsoft are implementing stricter security.
Email Policies for your staff
Once you have implemented your HIPAA compliant email service it is important to train staff on the correct use of email with respect to ePHI. There have been several data breaches that have occurred as a result of errors made by healthcare staff – The accidental sending of ePHI via unencrypted email and the sending of ePHI to individuals unauthorized to view the information. It is important to ensure that all staff are aware of their responsibilities under HIPAA and are trained on the use of the email service.
Email retention requirement
HIPAA Rules on email retention are a little unclear as email retention is not specifically mentioned in HIPAA legislation. Since individuals can demand information on disclosures of protected health information, and email communications may have to be provided when legal action is taken against a healthcare organization, covered entities should maintain an email archive or at least ensure emails are backed up and stored. State laws may also require emails to be stored for a fixed period of time. You should therefore check the laws relating to email in the states in which your organization operates. If in doubt, seek legal advice.
The retention period for security related emails and emails relating to changes in privacy policies should be retailed for a period of six years and HIPAA requires covered entities to store documentation related to their compliance efforts for 6 years. Consider using a secure, encrypted email archiving service rather than email backups.
As with an email service provider, any provider of an email archiving service will also be subject to HIPAA Rules as they will be classed as a business associate. A BAA would need to be entered into with that service provider and reasonable assurances obtained that they will abide by HIPAA Rules.
HIPAA-covered entities should note that while it may be convenient to send emails containing ePHI to patients, consent to use email as a communication method must be obtained from the patient in writing before any ePHI is sent via email, even if a HIPAA compliant email provider is used. Patients must be advised that there are risks to the confidentiality of information sent via email. If they are prepared to accept the risks, emails containing ePHI can be sent without violating HIPAA Rules.
The bottom line is that the patient must request to receive unencrypted emails and be made aware of the risks. See section 45 CFR 164.524 for more details on a patient’s right to access PHI.
Seek legal advice on HIPAA compliance and email
If you are unsure of the requirements of HIPAA with respect to email, it is strongly recommended that you speak with a healthcare attorney that specializes in HIPAA to advise you of your responsibilities and the requirements of HIPAA with respect to email.