What Makes an Email Service HIPAA Compliant?


Healthcare organizations can use email to send messages internally. If the email system is protected by a firewall, there’s no need to encrypt messages. But if messages with protected health information will be sent externally beyond the firewall, it is necessary to make sure that only authorized persons will see the messages. The email service provider must be HIPAA-compliant.

What are the requirements of a HIPAA compliant email? There are several things to consider:

1.       End-to-end encryption for email is a must.

Communicating by email is not necessarily secure. To make it HIPAA compliant, it must encrypt messages in transit and in storage. This is called end-to-end encryption. There must also be access controls to make sure only the intended recipient will read the messages.

Take note that some email services do not automatically turn on message encryption. So if users forget to turn on this feature, they can send unencrypted emails with PHI by mistake. It is best to simply turn on the encryption setting for all outgoing messages to reduce mistakes.

2.   Sign a business associate agreement with the email provider.

When using third-party email providers, it is a must to sign a business associate agreement (BAA) first before sending any messages with ePHI. The responsibilities of the email service provider are stipulated in the BAA. The BAA also reinforces the requirement to provide physical, technical and administrative safeguards to guard the confidentiality, availability and integrity of ePHI.

3.       Configure the email settings correctly.

Many healthcare organizations violate HIPAA Rules as a result of misconfiguring their email services. So, it is highly important to check email settings making sure that message encryption works.

4.       Train employees on the use of email services.

Data breaches have happened before because employees made mistakes in using email services. Some accidentally sent unencrypted information with ePHI. Others sent email messages with PHI to the wrong recipients. Hence, employees must receive adequate training to avoid mixing up communications.

5.       Follow the retention policy of HIPAA.

The HIPAA Rule requires covered entities and business associates to retain email communications with ePHI. The typical retention period is 6 years for emails and other attachments. It is advisable to simply use an encrypted email archiving service instead of storing email backups.  

6.       Ask patients’ permission first before communicating by email.

Even if an entity is using a HIPAA compliant email provider, it’s not ok to send any ePHI via email without getting the patients’ consent first. Before agreeing or disagreeing, the patients should be informed that there are risks when using email to send ePHI.

7.       Ask a healthcare lawyer for any question or clarification on HIPAA compliance.

If you have questions about HIPAA requirements with respect to using email, don’t hesitate to ask a healthcare attorney.