HIPAA-covered bodies must see to it that protected health information (PHI) sent using email is secured to stop unauthorized individuals from intercepting messages, and many choose to use HIPAA compliant email suppliers to ensure appropriate controls are applied to guarantee the confidentiality, integrity, and availability of PHI.
There are a multitude of HIPAA compliant email providers to opt for that provide end-to-end encryption for messages. Some of the solutions require software to be hosted on your own servers; others take care of everything. Changing email provider does not always mean you have to change your email addresses. Many services permit you to keep your existing email addresses and send messages as you usually would from your desktop.
All HIPAA compliant email suppliers must ensure their solution includes all of the security measures required by the HIPAA Security Rule. The solutions need to have access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be secured in transit 164.312(e)(1).
If an an email service provider includes all of those controls, the service can be thought of as HIPAA-compliant. However, it is also necessary for an email service provider to complete a contract with a HIPAA-covered body in the form of a business associate agreement. Only then can the email service be implemented.
HIPAA-covered bodies should remember that HIPAA-compliant email is not the charge of the service provider. The service provider must only ensure appropriate security measures are incorporated. It is the responsibility of the covered body to ensure the solution is set up properly, that staff are trained on the use of email and are made aware of the allowable uses and disclosures of PHI.
An email service alone will not meet all HIPAA requirements for email. Staff should also be given training on security awareness and be made aware of the threats that can land in inboxes. Technologies should also be adapted to lessen the risk of email-based attacks like phishing. Some email service suppliers, but not all, monitor inbound messages and block spam, malware and phishing emails.
Is Encryption for Email Obligatory?
While HIPAA compliant email providers encrypt all emails in transit, encryption is not obligatory. The HIPAA Security Rule only states that organizations must assess the need for encryption. A HIPAA-covered body does not need to encrypt emails, if an alternative and equivalent control is used in its stead.
One such control is the use of a secure email server placed behind a firewall. In such cases, provided a risk assessment has been conducted and the reasons for not encrypting emails has been documented, encryption would not be required on all internal emails. Encryption would also not be needed when sending emails to patients who have authorized a covered entity to communicate with them through email.
However, since most healthcare groups need to submit payment claims through email, contact other healthcare groups and refer patients, it is necessary to send emails outside the protection of the firewall. In such instances, encryption is necessary.
There are serious risks sending sensitive information through email. Email is not a secure way of sharing data. Emails must be set up on one machine, be sent using an outbound email server, traverse the Internet, arrive at the recipient’s email server, before being sent to the recipient’s device. Duplicates of emails can be on at least four different machines, and messages can easily be intercepted in transit.
The Department of Health and Human Services (HHS) has already issued financial penalties to covered bodies that have used email services that are not HIPAA compliant. Phoenix Cardiac Surgery paid a $100,000 penalty for implementing insecure Internet-based email.