The term HIPAA compliant email refers to an email system with the necessary safeguards to protect the confidentiality, integrity, and availability of PHI, that is configured to support HIPAA compliance, and that is used in compliance with an organization’s HIPAA email policy. Because of the variables in each stage of implementing and using a HIPAA compliant email system, there are no one-size-fits-all HIPAA email rules.
Neither the text of HIPAA nor the HIPAA Administrative Simplification Regulations define what is necessary for HIPAA compliant email. This is not due to the Security Rule being “technology neutral”, but rather due to the fact email can be used for multiple purposes that do not involve the creation, receipt, storage, or transmission of Protected Health Information (PHI). In cases in which PHI is not created, received, stored, or transmitted, the HIPAA Rules do not apply.
A further reason why there are no one-size-fits-all HIPAA email rules is because some covered entities operate an in-house email system, while other covered entities outsource email services to third party providers such as Microsoft, Google, and Paubox. In cases in which email services are outsourced, the service provider becomes a business associate of the covered entity and assumes responsibility for some HIPAA compliance requirements.
It is also the case that the Security Rule allows a “flexibility of approach”. The flexibility of approach allows covered entities and business associates to implement any security measures that enables them to “reasonably and appropriately implement the standards and implementation specification [of the Security Rule]”. However, complying with the standards of the Security Rule alone is not sufficient to guarantee HIPAA compliant email.
The Safeguards for HIPAA Compliant Email
The safeguards for HIPAA compliant email begin with the requirement for covered entities and business associates to implement a security management process (§164.308(a)(1)) which includes (among other specifications) an assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI – including reasonably foreseeable risks and vulnerabilities that could be attributable to human error or malicious insiders.
If a risk assessment identifies that members of the workforce may be susceptible to phishing emails or could wrongfully and knowingly disclose PHI for personal gain (contrary to §1177 of the Social Security Act), measures must be put in place to mitigate the likelihood of such threats. These measures could include AI-powered, anti-phishing email filters and Data Loss Prevention tools, or the threats could be mitigated with additional HIPAA training.
The measures to mitigate the impact of threats identified in a risk assessment are a further reason why each covered entity and business associate has to create its own HIPAA compliant email system. These measures – once identified – have to be implemented along with the other measures required in the remaining Administrative Safeguards, the Physical Safeguards (where responsibility is not assumed by a business associate), and the Technical Safeguards.
The Configuration of Email Systems Matters
How email systems are configured matters because allowing too few permissions can affect workforce members’ access to PHI and the efficiency of services connected to the email system. For example, restricting how files received in Outlook inboxes can be shared via the OneDrive service could affect the delivery of healthcare if one member of the workforce had to contact another member of the workforce before being able to access an x-ray image.
In addition to considering the way PHI is shared between authorized members of the workforce, it is also important to consider how it is shared. Encryption is the generally accepted method of protecting PHI at rest and in transit, and most HIPAA compliant email services will encrypt PHI at rest to AES-128 standard or higher. With regards to encrypting PHI in transit, the most common options are TLS and S/MIME, but there are cases in which neither is ideal.
Both TLS encryption (which encrypts the connection between senders and recipients) and S/MIME encryption (which encrypts the content of each email) only work if the recipient of an email is using the same encryption protocol. If they are using a protocol that does not decrypt TLS connections or S/MIME encrypted content, the email will be delivered unencrypted or returned to the sender. For this reason, some covered entities add an extra level of proprietary encryption that enables recipients to view encrypted emails via a secure web portal.
Using Email in Compliance with HIPAA
One of the most challenging aspects of HIPAA compliant email is using email in compliance with HIPAA. This is because using email in compliance with HIPAA requires an understanding of what PHI is, when it can be disclosed permissibly, and when the minimum necessary standard applies. There is also the issue for some covered entities of state laws that have more stringent privacy protections than HIPAA – or have more rights for individuals – and that preempt HIPAA.
Covered entities may also have to be aware of patients who have consented to receive confidential communications by email, patients who have requested not to be contacted by email, and patients who have authorized disclosures by email that are not usually permitted by the Privacy Rule. When using a third party email service, these variables must also be communicated to the service provider under the terms of the Business Associate Agreement.
In conclusion, implementing and using a HIPAA compliant email system consists of more than complying with the applicable Administrative, Physical, and Technical Safeguards of the Security Rule. It also involves implementing measures to mitigate reasonably foreseeable threats identified in a risk assessment, finding the right balance when configuring the system to ensure it supports HIPAA compliance, and using the system in compliance with HIPAA.