Do You Need HIPAA-Compliant Email?

by

Whether you need HIPAA-compliant email depends on your “HIPAA status”, the nature of your organization’s activities, and the availability of alternative communication channels that may be more appropriate for creating, sending, receiving, and storing Protected Health Information (PHI) in compliance with HIPAA.

Organizations in healthcare, health insurance, and associated industries are often told (usually by software vendors) that they need HIPAA-compliant email in order to communicate Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA). This is not necessarily the case.

Not all organizations in healthcare, health insurance, and associated industries qualify as HIPAA covered entities or business associates; and, even if they do, there are many scenarios in which the answer to do you need HIPAA-compliant email is “No”. In addition, in some cases, it is permitted to send and receive PHI via non-compliant email services.

HIPAA Statuses Explained

HIPAA statuses are complicated. If your organization is a healthcare provider, it qualifies as a HIPAA covered entity only if it conducts or subcontracts electronic healthcare transactions for which the Department of Health and Human Services (HHS) has adopted standards in Part 162 of the HIPAA Administrative Simplification Regulations.

If your organization does not conduct HIPAA-covered healthcare transactions, or does not conduct them electronically, the organization does not qualify as a HIPAA covered entity – unless it provides services as a business associate for or on behalf of another healthcare organization that does qualify as a HIPAA covered entity.

In the latter case, HIPAA applies to transactions between your organization and the HIPAA covered entity governed by a Business Associate Agreement. Other transactions do not have to comply with the HIPAA Privacy and Security Rules – unless you want them to. The same applies to healthcare organizations that qualify as hybrid entities or partial entities.

With regards to do you need HIPAA-compliant email if your organization operates in the health insurance industry, only organizations that offer health insurance as a primary benefit qualify as HIPAA covered entities. Insurance companies that offer health insurance as a secondary benefit (i.e., with auto insurance) do not need HIPAA-compliant email.

Why Your Organization’s Activities Matter

HIPAA covered entities are not always standalone operations. Many are part of multi-unit healthcare systems (affiliated entities), Organized Health Care Arrangements (OHCAs), or Health Maintenance Organizations (HMOs). In these circumstances, whether you need HIPAA-compliant email can depend on the nature of the organization’s activities.

For example, if you only communicate PHI via email with other units of a healthcare system, and emails are sent and received via an internal mail network that is protected by a firewall, it is not necessary to have an additional HIPAA-compliant email service. The same applies if your organization is a standalone operation and sends emails containing PHI internally, but uses alternative communication channels to send and receive PHI outside the network.

What Alternative Communication Channels Exist?

Email is not the only way to communicate PHI. Most HIPAA covered entities conduct electronic healthcare transactions via secure portals rather than by email, while many use HIPAA-compliant text messaging, video, and voice platforms to communicate PHI internally and with patients – only using email for communications in which PHI is not disclosed.  

Although messaging, video, and voice platforms are not as convenient as email, they tend to be more secure and reduce the likelihood of “misdeliveries” (which account for approximately 8% of data breaches notified to HHS’ Office for Civil Rights). Some platforms also integrate with practice management systems and EHRs to streamline healthcare communications. Indeed, the majority of provider-to-provider communications are conducted via EHRs.

When You Do Not Need HIPAA-Compliant Email

In some cases it is permitted to send and receive PHI via non-compliant email services. These cases include when a patient authorizes a disclosure of PHI via a non-compliant email service, when a patient initiates contact via a non-compliant email service, and when a patient requests confidential communications via email and the organization does not use HIPAA-compliant email because it has implemented an alternative communications channel.

When these circumstances occur, organizations can assume that email communications via a non-compliant email service are acceptable to the patient according to HHS guidance. However, the guidance advises organizations to alert patients to the risks of using a non-compliant email service – especially if they have concerns about potential liability – and let the patient decide whether to continue email communications.

If the patient indicates that they want to continue receiving email communications, it is advisable for HIPAA covered entities and business associates to document the warning to the patient and their confirmation they want to continue receiving email communications. In such circumstances, the organization does not need HIPAA-compliant email, but it is recommended safeguards are implemented to minimize the risk of an unauthorized disclosure or data breach.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]