A HIPAA compliant email is an email containing Protected Health Information, that is sent or received for a purpose permitted by the Privacy Rule, and that is protected from unauthorized access or corruption by safeguards that support compliance with the Security Rule. There may be other conditions attached depending on who is sending the email, the purpose of the email, and any exceptions that apply.
Individuals and organizations that qualify as HIPAA covered entities or business associates are required to ensure emails are HIPAA compliant when they contain Protected Health Information (PHI). Factors that determine whether an email is HIPAA compliant include:
- The purpose of the email.
- The nature of its content.
- How the email is protected.
- What happens to PHI once received.
What is the Purpose of the Email?
If an email sent by a covered entity or business associate contains PHI, the purpose of the email has to be permitted by the Privacy Rule. Permitted purposes include disclosures for treatment, payment, and healthcare operations, disclosures required by law or in an emergency (see 45 CFR §164.512), and disclosures to a business associate for a secondary permitted purpose.
There are also circumstances when disclosures of PHI are required by the Privacy Rule. These include disclosures to HHS’ Office for Civil Rights and to individuals who are the subject of the PHI. It is also possible to disclose PHI in an email for other purposes when a covered entity has obtained a valid authorization from the subject of the PHI or their personal representative.
What is the Nature of the Email’s Content?
In order to be a HIPAA compliant email, the nature of the email’s content has to comply with the minimum necessary standard when the minimum necessary standard applies (see 45 CFR §164.502(b) for exceptions) . This means that – in most cases – only the minimum necessary PHI can be disclosed in an email to achieve the purpose of the disclosure.
Because of this rule, HIPAA training on HIPAA compliant email needs to cover topics beyond security awareness. If members of the workforce disclose more than the minimum necessary PHI in an email, and the subject of the PHI makes a complaint to HHS’ Office for Civil Rights, the regulator could consider the excessive disclosure of PHI to be a HIPAA violation.
How is the Email Protected?
If a covered entity or business associate is sending a HIPAA compliant email, it needs to be protected from unauthorized access or compromise This means that measures must be in place to comply with the Security Rule safeguards – both at the point of dispatch (i.e., access controls, password management, etc.) and during transit to the recipient (i.e., encryption).
When a covered entity or business associate subscribes to a HIPAA compliant email service (i.e., Microsoft 365), the responsibility for complying with many of the Security Rule safeguards is assumed by the email service provider. However, before using a HIPAA compliant email service, it is necessary to enter into a Business Associate Agreement with the service provider.
What Happens to PHI Once Received
When an email is received by a covered entity or business associate that contains PHI, HIPAA compliance can also be dependent on what happens to PHI once received. If maintained in an email account, the email becomes a designated record set and all the information in the email is protected by the Privacy Rule – even information unrelated to an individual’s health.
If PHI is removed from the email and stored elsewhere, there needs to be an audit trail in place to account for the movement and to ensure PHI is not compromised. For this reason, many covered entities and business associates take advantage of email archiving services that save an immutable copy of each email as it passes through the email server.
Further Information about HIPAA Compliant Email
Because different organizations operate in different ways, experience different types of risks, and have different risk management strategies, there is no one-size-fits-all approach to HIPAA compliant email. If you are responsible for HIPAA email compliance, and you would like further information about HIPAA compliant email, you should seek individual advice from a compliance professional.