HIPAA-covered outfits must make sure protected health information (PHI) shared via email is secured to stop unauthorized individuals from intercepting messages, and many opt to use HIPAA compliant email providers to ensure appropriate security measures are in placeto ensure the confidentiality, integrity, and availability of PHI.
There are a large number of HIPAA compliant email providers to opt for that can supply end-to-end encryption for messages. Some of the solutions need software to be hosted on your own infrastructure; others take care of all facets. Switching email provider does not necessarily mean you have to alter your email addresses. Many services allow you to keep your current email addresses and send messages as you usually would from your desktop.
All HIPAA compliant email providers must make sure their solution incorporates all of the security measure necessary under the HIPAA Security Rule. The solutions must have access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be secured in transit 164.312(e)(1).
Once an email service provider incorporates all of those controls, the service can be thought of as HIPAA-compliant. However, it is also required that an email service provider complete a contract with a HIPAA-covered entity in the form of a business associate agreement. Only then can the email service be implemented.
HIPAA-covered entities should take care to remember that HIPAA-compliant email is not the charge of the service provider. The service provider must only ensure proper safeguards are incorporated. It is the responsibility of the covered entity to make sure the solution is set up correctly, that staff are shown how to use of email and are made aware of the allowable uses and disclosures of PHI.
An email service alone will not ensure compliance with all HIPAA requirements for email. Staff should also receive training on security awareness and be made familiar with the threats that can land in inboxes. Technologies should also be implemented to cut the risk of email-based attacks such as phishing. Some email service suppliers, but not all, review inbound messages and prevent spam, malware and phishing emails.
Is Encryption for Email Required under HIPAA?
While HIPAA compliant email providers encrypt all emails in transit, encryption is not required under HIPAA. The HIPAA Security Rule only requires outfits to review the need for encryption. A HIPAA-covered entity does not need to encrypt emails, if a different and equivalent control is used in its stead.
One such measure is the use of a secure email server located behind a firewall. In such instances, once a risk assessment has been conducted and the reasons for not encrypting emails has been recorded, encryption would not be necessary on all internal emails. Encryption would also not be required when sending emails to patients who have authorized a covered entity to communicate with them through email.
However, since most healthcare outfits must submit payment claims via email, contact other healthcare organizations and refer patients, it is necessary to send emails outside the security of the firewall. In such cases, encryption is required.
There are considerable dangers involved in sending sensitive information via email. Email is not a safe way of sending data. Emails must be created on one machine, be shared to an outbound email server, traverse the Internet, arrive at the recipient’s email server, before being delivered to the recipient’s device. Copies of emails can be on at least four unique machines, and messages can be intercepted in transit quite simply.
The Department of Health and Human Services has already sanctioned fines to covered entities that have implemented email services that are not HIPAA compliant. Phoenix Cardiac Surgery paid a $100,000 penalty for using insecure Internet-based email.
HIPAA Compliant Email Providers
Our list of HIPAA compliant email providers has been put together to save you time in your search for an adequate email service provider. The list of HIPAA compliant email providers is not thorough. There are many other service providers that provide email services for healthcare outfits that meet the requirements of HIPAA. However, the list below is a good place to begin.
All of these providers provide a HIPAA-compliant email service and are willing to complete a business associate agreement.