Many healthcare groups do not know if the Hotmail email service is HIPAA compliant and whether sending protected health information using it can be thought of as a HIPAA compliant method of communication.
Microsoft has been providing Hotmail as a free webmail service since 1996. It has now been replaced with Outlook.com by Microsoft.
Email and Encryption under HIPAA
There is a an often seen misconception that all email is HIPAA compliant. In order for any email service to be HIPAA compliant, it must use security controls to stop unauthorized individuals from gaining access to accounts and for any information sent through the email service to be secured to stop messages from being intercepted. There must be access controls, integrity controls, and transmission security controls active – See 45 CFR § 164.312(a), 45 CFR § 164.312(c)(1), and 45 CFR § 164.312(e)(1).
All email accounts are safeguarded with a password, but not all email accounts safely send messages. If messages are not encrypted on the move, they could easily be intercepted and read by unauthorized individuals.
In order to be deemed HIPAA-compliant, email messages must be encrypted in transit if they are sent external to an organization’s firewall. Encryption is not needed if messages are sent inside the group and the messages are sent via a secure internal email server that sits behind a firewall.
As Hotmail is a webmail service, it is located beyond the protection of a firewall. In order to be HIPAA compliant, Hotmail would need to use security controls to stop messages from being intercepted. Hotmail uses HTTPS, so any information sent between the browser and the Hotmail site is encrypted, and messages are also safeguarded on the move.
However, while Microsoft states that it does not scan the content of messages and will not sell that data to third-parties such as advertisers, Microsoft can view messages. In addition, for an email service such as Hotmail to be HIPAA compliant, it must first obtain a HIPAA-compliant business associate agreement with the email service provider.
Microsoft does provide business associate agreements for Office 365, but Office 365 does not incorporate Hotmail or Outlook.com email accounts, which are free consumer email services. Microsoft does not offer any business associate agreements for its free consumer services.
Therefore, the answer to the question is Hotmail HIPAA compliant is no. Without a signed business associate agreement in place, Hotmail email accounts should not be utilized. The same applies to Gmail accounts and most other free consumer email services.
If your email system is secure and HIPAA-compliant, is it possible to share PHI to patients if they have a Hotmail account?
HIPAA does allow healthcare groups to share PHI with patients via email, regardless of the email service provider the patient uses. However, it is not allowed to send emails to patients without first giving their consent to do so. When obtaining consent, you should advise to patients that the sending of PHI via email is not secure and that their information could possibly be intercepted and viewed by individuals who are unauthorized to view that data.
If patients are advised of the dangers, and confirm that they are willing to accept those risks, PHI can be sent using email, even if they have a Hotmail or Outlook.com email account. Covered groups should document that consent has been obtained and patients have opted in to receive information via email, including how you proved their identity.