Whether you need to ensure your email complies with HIPAA will depend on how you are going to use email with ePHI. If you will only ever send emails inside the organization, it may not be required to make your email HIPAA compliant.
If your email network is placed behind a firewall, it is not required to encrypt your emails. Encryption is only obligatory when your emails are shared beyond your firewall. However, access controls to email accounts are required, as it is crucial to ensure that only authorized individuals can access email accounts that include PHI.
If you want to use email to share ePHI externally – outside the protection of your firewall – you will need to make your email HIPAA-compliant.
There are a number of email service providers that offer an encrypted email service, but not all are HIPAA compliant and include all of the necessary safeguards to meet the requirements of the HIPAA Privacy and Security Rules. To make your email HIPAA compliant there are several things to review:
1. Make sure you have end-to-end encryption for email
Email is a quick and simple way to communicate electronically, but it is not necessarily secure. Even services that encrypt messages on the move may not have the required level of security to make them HIPAA compliant. To make your email HIPAA compliant you should make sure you have end-to-end encryption, which encrypts both messages on the move and stored messages. Access controls are used to make sure only the intended recipient and the sender can view the messages.
Some email service suppliers require individual emails to be encrypted by clicking a button or using a portal. Since it is easy to forget to switch on encryption and accidentally send an unencrypted email, it is a better option to encrypt all emails, not only those that contain ePHI. This will bring down the potential for human error.
The type of encryption used is also significant. While previously Data Encryption Standard (DES) was considered safe, that is no longer the case. You should speak with NIST for advice on suitable encryption standards. Currently AES 128, 192, or 256-bit encryption is advisable.
For many HIPAA-covered groups, especially smaller healthcare suppliers that do not have in-house IT staff to ensure their email is HIPAA-compliant, the use of a third-party HIPAA compliant email service provider is strongly advised.
2. Complete a HIPAA-compliant business associate agreement with your email supplier
If you use a third-party email supplier, you should obtain a business associate agreement before using the service for sending ePHI. The business associate agreement outlines the responsibilities of the service provider and establishes that administrative, physical, and technical security measures will be used to ensure the confidentiality, integrity and availability of ePHI.
If an email service supplier is not prepared to enter into a business associate agreement, you should look somewhere else. There are many email service providers who are prepared to sign a BAA to allow them to work with HIPAA-covered entities and their business associates.
3. Make sure your email is configured properly
Even when a BAA is completed, there are still risks associated with email and it is possible to fail to set up the email service properly and breach HIPAA Rules. Simply using an email service that is covered by a BAA does not mean your email is HIPAA compliant.
Google’s G Suite comes with email and is covered by its business associate agreement. Though G Suite, email can be made HIPAA compliant supplied the service is used alongside a business domain. Even if you want to implement G Suite, care must be taken setting up the service to ensure end-to-end encryption is in place.
Note that G Suite is not identical as Gmail. Gmail is not designed for business use and cannot be made HIPAA compliant. Google does not complete a BAA for its free services, only for its paid services.
4. Develop policies on the use of email and train your employees
Once you have put in place your HIPAA compliant email service it is important to show staff how to properly use email with respect to ePHI. There have been a number of data breaches that have occurred as a result of mistakes made by healthcare staff – The accidental sharing of ePHI via unencrypted email and the sharing of ePHI to individuals unauthorized to view the data. It is crucial to ensure that all staff are aware of their responsibilities under HIPAA and are shown how to use the email platform.
5. Make Ensure all emails are retained
HIPAA Rules on email retention are a little confusing as email retention is not specifically referred to in HIPAA legislation. Since people can demand information on sharing protected health information, and email communications may have to be handed over when legal action is taken against a healthcare group, covered entities should keep an email archive or at least ensure emails are backed up and stored. State legislation may also require emails to be stored for a fixed duration of time. You should therefore look over the laws relating to email in the states in which your organization works. If in doubt, seek legal counsel.
The retention period for security related emails and emails relating to changes in privacy policies is six years and HIPAA requires covered entities to keep documentation related to their compliance efforts for a period of six years.
Even for small to medium-sized healthcare groups, saving 6 years of emails, including attachments, requires massive storage space. Consider using a secure, encrypted email archiving service instead of email backups. Not only will this free up storage space, since an email archive is indexed, searching for emails in an archive is a quick and simple process. If emails need to be handed over for legal discovery or for a compliance audit, they can be quickly and easily rescued.
As with an email service supplier, any provider of an email archiving service will also be subject to HIPAA Rules as they will be classified as a business associate. A BAA would need to be completed with that service provider and reasonable assurances obtained that they will comply with HIPAA Rules.
6. Receive consent from patients before communicating with them through email
HIPAA-covered entities should note that while it may be easy to send emails containing ePHI to patients, consent to use email as a communication medium must be obtained from the patient in writing before any ePHI is sent using email, even if a HIPAA compliant email provider is implemented. Patients must be advised that there are dangers to the confidentiality of information sent via email. If they are ready to accept the risks, emails including ePHI can be sent without breaching HIPAA Rules.
7. Seek legal counsel on HIPAA compliance and email
If you are not sure of the requirements of HIPAA with respect to email, it is strongly advised that you speak with a healthcare lawyer that specializes in HIPAA to advise you of your responsibilities and the requirements of HIPAA in relation to email.