To answer the question how do I know that my email is HIPAA compliant, it is necessary to look beyond the security capabilities of your email service and ensure the reasons you are sending emails containing Protected Health Information complies with the HIPAA Privacy Rule. Having an email service that supports HIPAA compliance does not mean your email is HIPAA compliant.
If your organization qualifies as a HIPAA covered entity or business associate, subscribing to an email service that encrypts data at rest and in transit, has capabilities such as access controls and audit logs, and that is backed up by a Business Associate Agreement demonstrates a good faith effort to protect the confidentiality, integrity, and availability of electronic Protected Health Information (PHI), but it does not make your email HIPAA compliant.
In order for email to be HIPAA compliant, PHI contained in emails has to be created, received, stored, or transmitted for a reason required or permitted by the HIPAA Privacy Rule. In addition, it may be necessary for disclosures of PHI in emails to be limited to the minimum necessary to achieve the purpose of the disclosure, covered by consent, authorization, or attestation, or restricted in content due to an individual exercising their HIPAA rights.
Therefore, your email service could tick all the boxes for HIPAA compliance, but your email might not be HIPAA compliant if you use the service to email PHI for impermissible purposes or to unauthorized recipients, if you email more than the minimum necessary PHI, or if you send any email containing PHI without valid consent, authorization, or attestation, or in violation of an agreed upon restriction or confidentiality agreement.
How Do I Know That My Email is HIPAA Compliant for Privacy?
All HIPAA covered entities – and business associates “where provided” – are required by the Administrative Requirements of the HIPAA Privacy Rule (§164.530(i)) to “implement policies and procedures with respect to Protected Health Information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart [the HIPAA Privacy Rule] and subpart D of this part [the HIPAA Breach Notification Rule].”
The policies and procedures must be designed to “protect against any reasonably anticipated uses or disclosures of such information that are not permitted by the HIPAA Privacy Rule” regardless of whether uses and disclosure of PHI are verbal, written, or electronic. Members of the workforce must receive HIPAA training on any policies and procedures that are applicable to their functions, and be sanctioned for any violation of the policies and procedures.
In the context of how do I know that my email is HIPAA compliant for privacy, this means reviewing existing email policies and procedures, conducting a risk assessment to identify reasonably anticipated uses or disclosures of PHI that are not permitted by the HIPAA Privacy Rule, and – if material changes are required to existing email policies or procedures to make sure your email is HIPAA compliant for privacy – retraining affected members of the workforce.
The review of existing policies and procedures aligns with new security proposals published last December which – among other measures – require all HIPAA regulated entities to develop a network map that illustrates the movement of electronic PHI through electronic information systems. The network map will help HIPAA covered entities better understand how PHI is used and disclosed in emails to assess whether their email is HIPAA compliant for privacy.
Other Proposed Changes to the HIPAA Security Rule
With regards to how do I know that my email is HIPAA compliant for security, the answer to this question depends on whether the organization hosts its email service on-premises or subscribes to third party’s email service. In the former case, the organization should compare the safeguards already in place to protect the confidentiality, integrity, and availability of electronic PHI against a HIPAA compliance checklist and adjust as necessary.
If an organization subscribes to a third party’s email service, service providers will not enter into a Business Associate Agreement unless the organization subscribes to a plan that supports HIPAA compliance. Thereafter, it is the organization’s responsibility to configure the controls, provide workforce training, and monitor workforce compliance to ensure the email service is used in compliance with HIPAA. However, these procedures may soon be about to change.
Last December’s Notice of Proposed Rulemaking contains further proposals that will impact knowing if an email is HIPAA compliant. Relevant proposed changes include (but are not limited to):
- Removing the distinction between required and addressable implementation specifications. For example, the capability to monitor logins to email accounts will become mandatory.
- The definition of a workstation will be expanded to include any device (including personal smartphones, smart watches, etc.) with access to electronic PHI.
- The encryption of electronic PHI at rest and in transit will be mandatory – including when PHI is sent or received in an email via a personal device.
- Multi factor authentication will become mandatory (with limited exceptions) for email accounts with access to electronic PHI – including accounts accessible from personal devices.
- All “extraneous software” must be removed from electronic information systems which must now be protected by anti-malware software.
- Vulnerability scans will be required every six months and penetration testing required at least once every twelve months (subject to the proposals being finalized).
- New workforce training requirements will be introduced to align HIPAA security awareness training with HHS’ Cybersecurity Performance Goals for Email Security.
HIPAA regulated entities who subscribe to an email service that supports HIPAA compliance will find that the responsibility for complying with many of the proposed security measures is likely shared between the organization and the email service provider (except for the “extraneous software” and new workforce training requirements). However, it will still be necessary to know your email is HIPAA compliant for privacy – and when exceptions apply.
Exceptions to the HIPAA Security Requirements for Email
The changes to the HIPAA security requirements for email will not impact the HIPAA Privacy Rule, and several exceptions exist in the HIPAA Privacy Rule for when the HIPAA security requirements for email do not apply. However, these exceptions only apply when an organization does not use an email service that is HIPAA compliant because (for example) it uses other communication channels to send and receive electronic PHI.
The circumstances in which a HIPAA covered entity can use a “non-compliant” email service to send or receive electronic PHI include when an individual requests a copy of their PHI via email, when an individual requests PHI is transferred to a different healthcare provider by email, and when an individual requests confidential communications via email. In all three cases, the individual should be warned of the risks of unsecured email and the warning documented.
One further issue organizations should be aware of before signing off their emails as HIPAA compliant is the right of individuals to request privacy protections (§164.522(a)). This right permits an individual to restrict what PHI is disclosed about them and to who. It affects all types of disclosures (verbal, written, or electronic), and HIPAA covered entities must have processes in place to record, manage, and terminate individuals’ requests for privacy protections.
HIPAA covered entities and business associates with questions about how do I know that my email is HIPAA compliant should speak with an independent compliance professional. Workforce members unsure about the privacy requirements for HIPAA compliant email – and when exceptions apply – should speak with their HIPAA Privacy Officer, while HIPAA Security Officers should stay up to date with the proposed changes to the HIPAA Security Rule.