In order to send a HIPAA compliant email, it is necessary for the purpose of the email to be required or permitted by the HIPAA Privacy Rule, for the content of the email to comply with any restrictions that apply, and for the email to be sent via an email service configured to support HIPAA compliance – unless an exception exists.
If the organization you work for qualifies as a HIPAA covered entity, and you send an email containing Protected Health Information (PHI), the email must be HIPAA compliant. However, sending a HIPAA compliant email consists of more than subscribing to a HIPAA compliant email service, configuring the service to comply with applicable safeguards of the HIPAA Security Rule, and entering into a Business Associate Agreement with the service provider.
When you send a HIPAA compliant email, the reason for disclosing PHI via email must also be required or permitted by the HIPAA Privacy Rule, the content of the email must comply with the minimum necessary standard (when applicable), and take into account any privacy restrictions requested by the subject of the email. It is also be important to be aware that – in some circumstances – you can send a HIPAA compliant email via a non-compliant email service.
The Privacy Requirements for HIPAA Compliant Email
The privacy requirements for HIPAA compliant mail are that disclosures of PHI are required when they are requested by the subject of the PHI and HHS’ Office for Civil Rights. Disclosures of PHI are permitted when they are for treatment, payment, and health care operations, or when an authorization or opportunity to agree or object is not required (§164.512). Some disclosures permitted by §164.512 may be required under state laws (i.e., when reporting child abuse).
Other than when disclosures of PHI are required or permitted for treatment, the minimum necessary standard applies when you send a HIPAA compliant email. Other restrictions apply if the subject of the PHI has requested privacy protections under §164.522(a) of the HIPAA Privacy Rule, or if a disclosure of PHI requires the consent of the subject or an authorization. Some disclosures may also require an attestation that PHI disclosed in an email will not be further disclosed.
Security When You Send a HIPAA Compliant Email
The security requirements when you send a HIPAA compliant email vary depending on whether the email service is hosted on premises, or whether it is subcontracted to a third service provider or Managed Service Provider (MSP). If the service is hosted on premises, the organization will be responsible for implementing measures to comply with all applicable Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule.
If the email service is subcontracted to a third party service provider or Managed Service Provider, the responsibility for security when you send a HIPAA compliant email is shared between the organization and the service vendor. However, in all circumstances it is necessary to enter into a Business Associate Agreement with the service vendor and provide members of the workforce with HIPAA security awareness training in accordance with §164.306.
When Exceptions Exist to the Security Requirements
Exceptions to the security requirements when you send a HIPAA compliant email exist when an organization uses channels of communication other than email to send and receive PHI (i.e., a combination of secure portals and secure messaging), and an individual exercises their HIPAA rights to either request a copy of their PHI by email, transfer PHI to another healthcare provider by email, or request confidential communications by email.
In all three cases, organizations are required to accommodate reasonable requests, and any email sent via a non-compliant channel of communication would still be considered a HIPAA compliant email in these circumstances. However, HIPAA covered entities are advised to warn the patient of the risks of transmitting PHI over unsecure email, document the warning, and request confirmation from the patient in writing that they still want to proceed via email.
HIPAA covered entities and business associates with questions about how to send a HIPAA compliant email are advised to speak with an independent compliance professional. Members of the workforce with questions about the privacy requirements for HIPAA compliant email should speak with their HIPAA Privacy Officer for further advice before agreeing to an exception, as different organizations have different policies for how to respond in such events.